Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence

10th Anniversary of the Anna Kournikova virus

Created: 10 Feb 2011 • Updated: 10 Feb 2011
Paul Wood's picture
+1 1 Vote
Login to vote

Q. What’s the only computer virus to ever appear in an episode of Friends?

A. The Anna Kournikova virus (celebrating its tenth birthday on February 11, 2011)

10 years ago, on 11 February 2001, the Anna Kournikova virus swept the internet, tricking email users everywhere into opening a mail message that appeared to contain a picture of the famous Russian tennis beauty. Instead of providing the image promised, the virus plundered the user’s email inbox, accessed their address book, and sent itself to every contact in it. The virus wreaked such havoc that our analysts at the time commented that it was "spreading twice as fast as the Love Bug", the notorious ILOVEYOU virus we identified before anybody else back in 2000.

The Anna Kournikova virus - or Vbs.SST@mm to use its full Symantec virus name - was not only impressively prolific it was also one of the first signs of an important shift in the history of cybercrime. Instead of being created & unleashed by a ‘script kiddie’, it was one of the first of the major viruses created from a virus toolkit called VBSWG, one of the first scripting toolkits to be programmed in Visual Basic. The tooltit was originally developed by a young Argentinean, before being later used by Dutch programmer to create the Anna Kournikova virus that was released into the wild.

Also known as VBS/SST, VBS_Kalamar, and VBS/OnTheFly, the virus posed as an attachment (AnnaKournikova.jpg.vbs) and purported to be a picture of the teenage tennis heartthrob included in an email with one of several similar subject lines, one of which can be seen in the example below. Curiously, the same subject was used in the "Here You Have" virus (W32.IMSOLK.B@mm) on 9 September 2010.

At the time it was compared to the Love Bug virus from the year before, and appeared to be spreading twice as fast. In the first five hours after blocking the initial copies from the outbreak, more than 2,900 copies had been caught from 290 different domains.

Toolkits make writing viruses uncomplicated and much easier, requiring less-technical knowledge to operate, and now play an important role in crimeware. They are often made up of bundles of malicious code tools used to facilitate the launch of attacks on networked computers. The kits are advertised and sold in the online underground economy — a black market of servers and forums where cybercriminals advertise and trade stolen information and services. According to Symantec data one major kit, ZeuS, alone accounted for more than 90,000 unique malicious code variants as of August 2009. In 2010, a major new version of ZeuS was released—ZeuS 2.0.32 -  with a significant price increase of up to $8,000 for a basic package.

Since 2001, cybercrime has grown and developed into a self-sustaining, organised multi-billion dollar enterprise partly because of the ease with which toolkits can be ordered and used for nefarious purposes. Cybercriminals don’t need to know much about computer code today, they just need to visit an underground website, purchase a toolkit and use it to send out malicious code to victims.

In this context, the Anna Kournikova virus has an impressive legacy. Arguably more impressive than the tennis player herself.

For more information on crimeware and malicious toolkits, please also read Symantec's ISTR Mid-Term Report: Attack Toolkits and Malicious Websites.