Spreads over shared directories.
Looks for IP addresses and shared directories. It copies itself on them.
VBS/Netlog is written in Visual Basic Script.
Version A: Netlog.A
When activated, the worm creates the log file "c:\network.log", which contains:
Log file Open
The worm generates a random IP address and writes it in the log file:
Subnet:*.*.*.0 every star ("*") is a number.
The worm connects to an IP address (1-254) and searches on all systems for access to drive C:/. If access is granted, the drive is mapped as J:/ on the infected computer and the worm writes in the log file:
Copying files to:\\*.*.*.*\C
Then the worm copies itself on the remote computer as:
j:\win95\start menu\programs\startup\network.vbs j:\win95\startm~1\programs\startup\network.vbs
This is the PC infecting procedure.
The next system start will activate the worm. When the file is copied, the log file reads:
Successfull copy to : \\*.*.*.*\C
Finally, the worm connects to the next address of SubNetz or to another random IP address and restarts the procedure.
Version B: Netlog.B
This version consists in two files. It copies itself as:
It maps this drive as Z:\ (not J:\ as does version A). When creating the log file, "c:\network.log", the drive is changed accordingly.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二