Worm.VBS.Netlog.l

Aliases
Worm.VBS.Netlog.l  ( Kaspersky Lab ) is also known as: VBS.Netlog.l ( Kaspersky Lab ), VBS/Netlog.worm ( McAfee ),   VBS.Cable ( Symantec ),   VBS/Cable-A ( Sophos ),   VBS/Netlog.L* ( RAV ),   VBS_CABLE.A ( Trend Micro ),   VBS/Netlog.L ( H+BEDV ),   VBS/Netlog.B ( FRISK ),   VBS:Malware ( ALWIL ),   VBS/Netlog ( Grisoft ),   VBS.Netlog.I ( SOFTWIN ),   VBS/Netlog.L ( Eset )

Description added Jul 19 2007
Behavior VBS Virus


Technical details

This worm is 2282 bytes in size. It is written in Visual Basic Script (VBS). It spreads by copying itself to other computers on the local network .

Payload

Once the worm is launched, it selects a rendom network IP address where the first octect is equal to 65 e.g. 65.24.52.0. It will then attempt to connect to all computers on this network, cycling through 1 to 255 for the final octet of the IP address.

If the worm is able to establish a connection, a shared network disk x: will be created on the infected machines.

The worm then copies the following files: c:\windows\startm~1\programs\startup\_chubby.vbs c:\sys32.exe

to the startup directory on the networked disk: x:\windows\startm~1\programs\startup

It also copies c:\sys32.exe to the x: root directory. The network disk will then be disabled.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the worm process.
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Find and delete the following files from all directories: _chubby.vbs sys32.exe
  4. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).

 
HOME