FRISK Software International


Summary of VBS/VBSWG.J@mm
Alias: I-Worm.Lee.o, SST, VBS_Kalamar, Onthefly, VBSWG
Discovered: 12 Feb 2002
Distribution:High
Infection Method:Infected e-mail attachments
 
Jump to:
Brief description
Technical description

Brief Description
VBS/Onthefly is an encrypted Visual Basic Script worm which spreads (mass mails) itself using Microsoft Outlook application.

On February 12th, 2001 this worm has spread rapidly in all over the world in just a few hours.


Technical Description
This virus infected several hundreds of thousands of computers worldwide, putting this virus into the same category with Melissa virus in 1999 - which was the largest virus case of its time. However, Onthefly was significantly smaller than LoveLetter. Additionally, Onthefly did not do any direct damage.

The author of the virus ("OnTheFly") has been found. His real-world identity has been found as well and passed on the the officials for further investigation.

VBSWG.J worm arrives as an attachment in Outlook message with the following content:

    Subject:    Here you have, ;o)
    Body:       Hi:
                Check This!
    Attachment: AnnaKournikova.jpg.vbs
Once a user click on the attached file the worm execues. First it adds the following key to the registry:

   HKEY_CURRENT_USER\Software\OnTheFly = "Worm made with Vbswg 1.50b"
The worm then copies itself to Windows directory using a constant file name "AnnaKournikova.jpg.vbs" and sends itself to all recipients on all address books. It also adds a marker to the registry, so it will not mass mail again.

At January 26th the worm will open the web browser and connect to an innocent Netherlandic web site.


[Analysis: Katrin Tocheva, Mikko Hypponen, Sami Rautiainen, F-Secure; February 2001]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is