New Kit Renews E-Mail Worm Scare

March 13, 2001

A slew of new worms may be on their way to your e-mail inbox even if you run anti-viral software.

A new version of VBS Worm Generator, the virus creation program used to write the Anna Kournikova worm in February, has been released by the program's creator, who claims that worms created with the newest version of his program will be undetectable by most antiviral software.

The new tool's ease of use — including its remarkably lucid help file -- indicates the next generation of worms will reduce the number of copycat worms, which in turn will make them harder to contain once they are released in the wild.

The writer of the VBS Worm Generator program, an Argentine teenager formerly known as Kalamar (who now wishes to be known simply as [K] complete with brackets) released Version 2 of VBS Worm Generator on Friday and followed it with a bug patch on Monday.

"This is a very impressive tool," said Dave Kroll, director of security research at Finjan Software.

"Our security team has reviewed the new tool and is very impressed with its simplicity and ease of use. A lot of bugs have been fixed since the first version," Kroll said. "Worms created by this tool can spread and attack using multiple methods (e-mail, IRC, file infections), and it will be difficult to detect or remove them.

"This signals a new age in worm generation. Unique worms now can be created with ease -- you won't see copycat variants like ILOVEYOU had. Each new worm will be new code and unique. Worms generated with this tool may wreak havoc on anti-virus software. We expect to see new worms coming in the near future that will spread very fast," Kroll said.

Version 2.0 of the program is now available on several Argentine websites, including the site owned by [K]. It is free and an easy download at 208 kilobytes.

VBS Worm Generator Version 2 contains a simple point-and-click interface that allows even the most non-technical person to create and e-mail a virus.

"If they can manage to find the website and download the program they can create a powerful virus and e-mail it around the globe with absolutely no effort or thought," said Ken Durham of Security Focus.

[K] informs users of the software that any worms created with his free program are not his responsibility.

"You have to agree to take full responsibility of any damage caused by the files that you could create with this program. The files created with this program may have the ability of really fast spreading by e-mail around the world, and that could hang up some e-mail servers. The worms are just for learning, not for spreading," [K] states in the program's documentation.

OnTheFly, the 20-year-old from Holland who created and spread the virulent Anna Kournikova worm, has since expressed remorse for unleashing the program.

"This program and the files created with it are for educational purpose only," [K]'s notice continues. "You have to agree that [K] is not responsible for any damage caused by the files that you are going to create."

VBS 2.0 has an extensive and impressive help file, which guides a wannabe worm writer through the process.

"This guy's help section is easier to understand and work with than the help functions included with most mainstream software," said Dave Smith, a support technician with Techserve.

As in previous versions of VBS, a user simply clicks on clearly labeled boxes to create the worm.

New features include a fast-spreading option that allows a VBS v.2 worm to look for and infect other devices on the network.

The worm kit also has a new encryption scheme that allows viruses to sneak under anti-viral software's radar by varying the virus' code.

Many anti-viral applications look for specific sets of codes when screening for viruses. The upgraded version creates a random 10-number variation on the codes, making each released copy of the virus appear to be different.

[K] noted in the documentation for the program that he has Norton anti-viral 2001, Kaspersky Anti-Virus (AVP), McAfee and F-Secure's "Fprot" installed on his home machine, "and none of them detect my worms."

Officials at F-Secure's main office in Finland and Kaspersky's Switzerland offices could not be reached for comment. McAfee and Symantec did not immediately reply to e-mail queries about whether their software could protect against Version 2.

Finjan Software's desktop product, SurfinShield, blocks any .VBS worm because it monitors the real-time behavior of code, and does not use a database of virus signatures, Kroll said. This new proactive approach is gaining a lot of acceptance as a good way to complement traditional, reactive anti-virus software.

Other new features of VBS 2 include the ability to attach an executable program to the worm, which in theory would allow a user to create a more dangerous worm because an executable file (.exe) can do more damage than a Visual Basic script.

"Chances are an unskilled worm writer won't know what to do with this feature, since they would need to have access to a virus-laden .exe file to attach," Techserve's Smith said. "I suppose a more skilled programmer could do something useful with it, but most computer users are aware that they shouldn't click on an executable file."

As in previous versions, worms created with VBS Worm Generator will replicate quickly.

Clicking on the "anti-deletion" option while creating a worm will program the worm to check whether it has been deleted, and if it has, to re-create itself. The only way to delete it is to press Control/Alt/Delete keys and close "Wscript" in the pop-up window that appears.

Worms created with VBS Worm Generator are able to infect files and shut down an infected computer. [K] notes the shutdown feature doesn't work with machines running Windows 2000.

A new feature allows the worm writer to change the name of a computer's registered owner by changing the information contained in "HKEY_LOCAL_MACHINESoftwareMicrosoftWindows CurrentVersionRegisteredOwner" to any name chosen by the worm's creator.

[K], who did not reply to an e-mailed request for an interview, had previously told Durham he would not be releasing new versions of the program.

It was assumed that this was in reaction to the widespread publicity over the Anna worm, although [K] stated it was a choice he had made before the Kournikova debacle, but he refused to explain why he wouldn't be updating.

[K] now states in the program documentation that he didn't update the program earlier because the source code to VBS Worm Generator was lost when his own computer's hard drive crashed.