Virus:Worm.VBS.Netlog.h

• Technical details
• Payload
• Removal instructions

This worm is 1 851 bytes in size. It is written in Visual Basic Script (VBS).

It spreads by copying itself to other computers on the local network.

Once the worm is launched, it selects a rendom network IP address from a network where the first octect is equal to 24 e.g.24.91.52.0. It will then attempt to connect to all computers on this network, cycling through 1 to 255 for the final octet of the IP address.

If a connection is successfully established, a shared network disk z: will be created on the infected computer.

The worm then copies c:\windows\startm~1\programs\startup\Net-Enh.vbs to the next startup directory on the networked disk:

The worm then copies c:\netwk.log to the z: root directory.

The network disk will then be disabled.

The worm creates a log file where it records the actions taken:

The threat posed by this worm is very low as it spreads extremely slowly. The slow rate of propagation is due to the fact that scanning for computers which can be infected takes a long time. Additionally, the majority of computers which the worm finds may be switched off and therefore impossible to connect to.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the worm process
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Find and delete the following file:
   Net-Enh.vbs
4. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).