The Anna Kournikova e-mail worm that whacked networks this week was not the work of a skilled cracker. It was created using one of the many virus-generating kits that are easily available on the Internet.

The kits, which have names like Satanic Brain Virus Tools 1.0, Instant Virus Production Kit, and Ye Olde Funky Virus Generator, make writing a virus a straightforward and uncomplicated task.

If you can install a program on a computer, you can also -- using one of these kits -- write and release a virus just like the authors of Cartman, Poppy and Kenny did.

Anna was created by a 20-year-old Dutch man who calls himself "OnTheFly" using the VBS Worm Generator, an application credited to a cracker known as [K]alamar, who is believed to be based in Buenos Aires.


[K]alamar's VBS Worm Generator 1.5 includes a well-written readme file, and an easy-to-understand point-and-click interface.

"A 10-year-old could use [K]alamar's VBS Worm Generator 1.5 to create a worm," said Ken Dunham, a senior analyst with SecurityPortal.

Sporting a polished interface with pop-up windows and handy help files that walk you right through the process, the VBS Worm Generator first asks you to name your virus and designate an author.

The writer of the Anna worm called it OnTheFly, the name he also used as its author.

In the program, the user is then asked to choose a method to spread the virus, either as an e-mail attachment or via Internet relay chat. Either way, the virus is spread via an attachment that is affixed to an e-mail or a file.

OnTheFly opted to transmit Anna by e-mail.

Then comes the fun part. The toolkit asks the user to choose up to four actions, known as payloads, which determine how the virus will affect the computers that it infects.

There are a variety of payloads: flashing sarcastic text messages to the infected machine's user, forcing the computer to connect to any designated website or making the worm crash the infected computer.

OnTheFly chose the least offensive action: Anna was coded to connect to a Dutch computer shop's website next January. OnTheFly stated in an e-mail that he assumed Anna would not be active by next year.

The Anna Kournikova worm is contained in a Visual Basic script (VBS) attachment. When the attachment is clicked, the worm sends itself via e-mail to all addresses found in a user's Outlook address book. The virus also uses encryption to hide itself, a feature included in the kit, which makes it harder for antiviral software to detect it.

"These virus kits are bad juju. People who wouldn't normally dream of releasing a virus are too tempted by the ease of writing and releasing crap with those kits," a cracker named Taltos wrote in an e-mail.

OnTheFly has admitted to being tempted, and has since expressed deep remorse for writing the Anna Kournikova worm.

"And there are going to be more and more of these viruses released, mark my words. Maybe OnTheFly did people a favor by releasing his harmless virus," Taltos said. "Maybe people will wise up and stop clicking on everything that lands in their e-mail boxes before some kiddie unleashes something that's really destructive."

Jesper Johansson, professor of computer science at Boston University, agrees with Taltos. He does not think other virus writers will be deterred by OnTheFly's legal problems.

"Criminals never think they will get caught. I think we will see a lot of 'kit' viruses," said Johansson, adding he has no respect for virus kit users.

"Do I think they are elite? No, I don't. I think they are petty criminals."
"Do they know a lot about the systems they are breaking? No. Do they have a specific objective, such as breaking into System X? No, not usually. These are simple vandals, who basically get their kicks from destroying things for other people. That does not make them elite, nor does it prove how knowledgeable they are, other than in a very narrow circle of like-minded deviants."

Virus creation kits are not new. The Mutation Engine (MtE), Virus Creation Laboratory (VCL), and Phalcon/Skism Mass-Produced Code Generator were developed in the early 1990s, Dunham said.

Richard Smith of the Privacy Foundation, said there are at least 100 virus-writing kits available on the Internet. He believes that creating viruses via kits may replacing childish stunts like prank phone calls -- but are much more insidious.

Smith, who was instrumental in tracking down the authors of both the Melissa and the ILOVEYOU worms, likened the wide availability of virus-creation kits to "giving a loaded gun to a kid."

"The main reason kids and young adults don't release more viruses is that most people know it is wrong and they don't want to go to jail," Smith said. "I think the rather heavy sentences handed out to virus writers and hackers are acting as a deterrent."

Smith believes that e-mail program vendors must also take responsibility, and should put a lock on their products.

"We need to get all the e-mail vendors (Microsoft, Netscape, Lotus, Qualcomm, etc.) to fix this problem of e-mail viruses. Dangerous file attachments such as script files and .exe files should automatically be thrown away," Smith said.

Microsoft has already made the change in Outlook with its e-mail security patch. "But I think Microsoft needs a similar patch for Outlook Express and Hotmail," Smith said. "And other vendors need to follow Microsoft's lead here."

Both Smith and Dunham said that the creators of the kits do have some cracking skills.

"If you're creating a virus-creation utility, you have to know more than the average bear," Dunham said.

But Dunham added that while viruses can easily be created with such tools, distributing them without getting into legal trouble is an entirely different manner.

Dunham said that many users might play with virus kits and only share creations with friends. But only a select few go a bit further and attempt to distribute new viruses on the Internet.

"It takes more knowledge, time and motivation to learn how to conceal your identity as well as being able to create new viruses that are different enough to not be picked up by current antiviral programs on the market," Dunham said.

Dunham also said that OnTheFly demonstrated a great grasp of psychology when he dubbed his worm after the sexy tennis star.

"Imagine if that attachment had been named after someone else. Would that have made a difference? What if Anna had been called SeanConnery.jpg.vbs? You might get only 40 percent of Anna's share on the market with that one."

Dunham thinks that an ElvisPresleyLives.jpg.vbs could be really successful, but believes that something like ExplicitHotPorn.jpg.vbs would have the greatest potential.

"It has everything the average employee is looking for when reading e-mail," Dunham said. "Attachments such as TasksToComplete.jpg.vbs would not be popular."