Selected viruses, spyware, and other threats: sorted alphabetically

VBS/Netlog.A is a worm written in Visual Basic Script. I t is able to spread to shared disks within a local computer network.  When it is run it checks the existence of a file c:\network.log.  If such a file exists it will be deleted.  Then the worm creates the file c:\network.log and will use it to save information of its activities.
After that  the worm generates a random IP address in the form A.B.C.1 where A is from the range 199-214, B and C from the range 0-255.  Starting from the 51st generated IP address also the first of the IP address numbers is generated from the range 0-255.  It means that the worm generates IP addresses of sub-networks of C type which may contain 255 addresses.
In the next step the worm tries to gradually map disk C: on each of the IP addresses belonging to the gained addresses space.  It will continue until it succeeds.  It maps disk always on the letter J:
The worm then tries to copy its copies to a network disk mapped this way (as disk J:) into the following directories:

j:\windows\startm~1\programs\startup\
j:\windows\
j:\windows\start menu\programs\startup\
j:\win95\start menu\programs\startup\
j:\win95\startm~1\programs\startup\
j:\wind95\

If copying was successful the worm will be executed on the remote computer after its restart.  In the end the worm closes the network connection.
The worm keeps a log of its activities in the file c:\network.log. Example:

Log file Open
Subnet : 211.16.99.0
Successfull copy to : 211.16.99.34/C

A peculiarity about this worm is the fact that it contains a code for displaying a message announcing the end of its activities, as it does in its development version VBS/Netlog.gen, but this is never displayed.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.