Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Netlog.Worm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 04 Feb 2000 03:00:00
Description created 22 Aug 2000 03:00:00
Description updated 22 Aug 2000 03:00:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

VBS/Netlog.Worm

Spreading

VBS/Netlog.Worm propagate by copying itself to shared network drives When VBS/Netlog.Worm is interpreted it will create a log file, c:\network.log, and write "Log file Open" to this file. Then it will enter into a loop, generating random class C IP addresses.

In the 50 first iterations in the loop, the first number of the IP address is between 199 and 215, after 50 iteration the first number is between 1 and 255. The second and third number are always between 1 and 255. Each time it will write the following line to the log file.

Subnet : *.*.*.0 (The * is replaced by a number in all examples in this virus description.)

Then the worm goes through the entire subnet addresses from 1-254 and looks for shares named 'C' at all IP-addresses. 'C' is the default sharename for a shared 'C:\' drive.

If a share named 'C' is found, the worm maps the share to local machine as 'J:' and write a new line to the log file, network.log:



Copying files to : \\*.*.*.*\C

The worm will then try to copy itself to 'j:network.vbs'. If this is successful, a new line is written to network.log:



Successfull copy to : \\*.*.*.*\C

Then it tries to copy itself to six other folders on the remote machine:



j:\windows\startm~1\programs\startup\
j:\windows\
j:\windows\start menu\programs\startup\
j:\win95\start menu\programs\startup\
j:\win95\startm~1\programs\startup\
j:\wind95\ When all files are copied to the remote machine, it will disconnect the network drive and try to establish a connection to next IP address.

The worm will be interpreted at the victims computer at the next restart.

This worm belongs in the category of slow spreaders. Searching for remote computers to infect will take a lot of time, and the number of connection successfully established will in most cases be relatively low.

Payload Details

n/a

Analysis

n/a

Removal

Remove this worm by simply running a virus scan and delete all infected files. You may also want to delete the log file, c:\network.log The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute.


Last Updated: 12 Nov 2015 11:06:11