Summary

At February 16th, a variant of VBS/Onthefly is spreading via e-mail messages.

Additional Details

The messages have the following German content:

    Subject:    Neues von Ihrem Internetdienstleister - Robert T. Online informiert

    Body:

        Sehr geehrter Internetsurfer es hat sich einiges bei uns getan. Die Telekom
        kann auch Ihre Internetkosten reduzieren. Wir haben auch fur Sie den
        richtigen Tarif...Damit auch Sie sich entscheiden k”nnen, haben wir eine
        ubersicht aller fur Sie relevanter Termine an diese eMail gehangt. Wir sind
        Sicher, auch Sie werden Ihren Wunschtarif finden.

        Bei fragen stehen wir Ihnen naturlich jederzeit zur Verfugung...

        Ihr T-Online Service Team

    Attachment: Neue Tarife.txt.vbs

In English the message subject and body are as follows:

    Subject:    News from your Internetserviceprovider - Robert T. Online informs

    Body:

        Dear Internetsurfer, several things changed at our side. Telekom can reduce
        also your Internet charges. We also have for you the right rate...To be
        able to decide, we have attached an overview of the relevant dates to this
        mail. We are sure, also you will find your prefered rate.

        If you have questions, you can of course contact us...

        Your T-Online Service Team

When the attached file is executed, the worm will mail itself to the each recipient in every address book. After mass mailing have been done, this variant adds the following key to the registry:

    HKEY_CURRENT_USER\software\mailed

This variant also replicates using mIRC and Pirch IRC clients.




There is also a version that is not encrypted. However, due a bug it does not replicate.





Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: http://www.F-Secure.com/v-descs/onthefly.shtml

[Analysis: Katrin Tocheva, Mikko Hypponen, Sami Rautiainen, F-Secure; February 2001]