Summary of VBS/VBSWG.J@mm
|Alias:|| I-Worm.Lee.o, SST, VBS_Kalamar, Onthefly, VBSWG|
||12 Feb 2002
|Infection Method:||Infected e-mail attachments
|VBS/Onthefly is an encrypted Visual Basic Script worm which spreads (mass mails) itself using Microsoft Outlook application.
On February 12th, 2001 this worm has spread rapidly in all over the world in just a few hours.
|This virus infected several hundreds of thousands of computers worldwide, putting this virus into the same category with Melissa virus in 1999 - which was the largest virus case of its time. However, Onthefly was significantly smaller than LoveLetter. Additionally, Onthefly did not do any direct damage.
The author of the virus ("OnTheFly") has been found. His real-world identity has been found as well and passed on the the officials for further investigation.
VBSWG.J worm arrives as an attachment in Outlook message with the following content:
Subject: Here you have, ;o)
Once a user click on the attached file the worm execues. First it adds the following key to the registry:
HKEY_CURRENT_USER\Software\OnTheFly = "Worm made with Vbswg 1.50b"
The worm then copies itself to Windows directory using a constant file name "AnnaKournikova.jpg.vbs" and sends itself to all recipients on all address books. It also adds a marker to the registry, so it will not mass mail again.
At January 26th the worm will open the web browser and connect to an innocent Netherlandic web site.
[Analysis: Katrin Tocheva, Mikko Hypponen, Sami Rautiainen, F-Secure; February 2001]