Virus:Worm.VBS.Netlog.i

Other versions: Worm.VBS.Netlog , .h

Aliases
Worm.VBS.Netlog.i  ( Kaspersky Lab ) is also known as: VBS.Netlog.i ( Kaspersky Lab ), VBS/Netlog.worm ( McAfee ),   VBS.A24 ( Symantec ),   VBS/Netlog-J ( Sophos ),   VBS/Netlog.G* ( RAV ),   VBS_NETLOG.G ( Trend Micro ),   VBS/Netlog.G ( H+BEDV ),   VBS/Netlog.G ( FRISK ),   VBS:Malware ( ALWIL ),   VBS/Netlog ( Grisoft ),   VBS.Netlog.G ( SOFTWIN ),   VBS.Netlog.I ( ClamAV ),   VBS/Netlog.G ( Panda ),   VBS/NetLog.G ( Eset )
Description added Jun 19 2007
Behavior VBS Virus
Technical details

This worm is 781 bytes in size. It is written in Visual Basic Script (VBS).

It spreads by copying itself to other computers on the local network.

Payload

Once the worm is launched, it selects a rendom network IP address from a network where the first octect is equal to 24 e.g. 24.91.52.0. It will then attempt to connect to all computers on this network, cycling through 1 to 255 for the final octet of the IP address.

If the worm is able to establish a connection, a shared network disk x: will be created on the infected machines.

The worm then copies c:\windows\startm~1\programs\startup\a24.vbs to the startup directory on the networked disk:

x:\windows\startm~1\programs\startup

The network disk will then be disabled.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the worm process.
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Find and delete the following file:
    a24.vbs
  4. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).
HOME