VBS/Netlog.Worm - VBS script virus

Siehe auch

Vollständig

Alias:	Network.vbs
Type:	Worm
Size:	~
Origin:
Date:	00-00-0000
Damage:	Spreads over shared directories.
VDF Version:	6.23.00.00
Danger:	Low
Distribution:	Low

DistributionLooks for IP addresses and shared directories. It copies itself on them.

Technical DetailsVBS/Netlog is written in Visual Basic Script.

Version A: Netlog.A
When activated, the worm creates the log file "c:\network.log", which contains:
Log file Open

The worm generates a random IP address and writes it in the log file:

Subnet:*.*.*.0 every star ("*") is a number.

The worm connects to an IP address (1-254) and searches on all systems for access to drive C:/. If access is granted, the drive is mapped as J:/ on the infected computer and the worm writes in the log file:

Copying files to:\\*.*.*.*\C

Then the worm copies itself on the remote computer as:
j:\network.vbs
j:\windows\network.vbs
j:\windows\start menu\programs\startup\network.vbs
j:\win95\start menu\programs\startup\network.vbs j:\win95\startm~1\programs\startup\network.vbs
j:\wind95\network.vbs
This is the PC infecting procedure.

The next system start will activate the worm. When the file is copied, the log file reads:

Successfull copy to : \\*.*.*.*\C

Finally, the worm connects to the next address of SubNetz or to another random IP address and restarts the procedure.

Version B: Netlog.B
This version consists in two files. It copies itself as:
C:\windows\start menu\programs\startup\network.vbs
C:\windows\start menu\programs\startup\network.exe

It maps this drive as Z:\ (not J:\ as does version A). When creating the log file, "c:\network.log", the drive is changed accordingly.

Kurzfassung hier.

Beschreibung erstellt von Crony Walker am Tue, 15 Jun 2004 14:00 (GMT+1)

» Über Malware
» Über Phishing
» In-the-Wild-Viren

« zurück