Virus:Worm.VBS.Netlog

Other versions: .h , .i

Aliases

Worm.VBS.Netlog ( Kaspersky Lab ) is also known as: VBS.Netlog ( Kaspersky Lab ), VBS/Netlog ( McAfee ), Trojan Horse ( Symantec ), VBS/Netload-A ( Sophos ), VBS/Netlog* ( RAV ), VBS/Netlog.Q ( FRISK ), VBS:NewLove ( ALWIL ), VBS.Netlog.B ( SOFTWIN ), VBS/Netload ( Panda ), VBS/Netlog.AD ( Eset )

Description added	Feb 06 2002
Behavior	VBS Virus

Technical details

This is a worm written in Visual Basic Script language (VBS). It spreads through a network by coping itself to other computers in the network.

Upon being activated, the worm generates a random network IP address (for example 145.65.28.0), and tries to connect to all computers in this network. It changes the last octet of an address from 1 to 255 and tries to connect. If the connection is accepted, the worm copies itself to a connected computer on drive C: in the following folders:

C:\
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP
C:\WINDOWS
C:\WINDOWS\START MENU\PROGRAMS\STARTUP
C:\WIN95\START MENU\PROGRAMS\STARTUP
C:\WIN95\STARTM~1\PROGRAMS\STARTUP
C:\WIND95

If all computers in this network are inaccessible, the worm generates a new network IP address.

The worm creates a file "C:\NETWORK.LOG". In this file, the worm writes all of its activities. The file content appears as follows:

Log file Open
Subnet : 145.65.28.0
Subnet : 23.44.93.0
Subnet : 50.112.201.0
Subnet : 176.3.138.0
Copying files to : \\176.3.138.5\Ñ
Successfull copy to : \\176.3.138.5\Ñ

The spreading ability of this worm is very low, because search of a victim computer takes a lot of time and most computers reject a requested connection.

HOME