VBS/Potok is a mass mailing worm written in Visual Basic Script.
The message that the worm spreads has the following content:
Subject: New Generation of drivers.
Body: Microsoft has published new driver for all types
Video Cards, compatible with Windows 95/98/NT/2000/XP.
You can read about it in attachment document.
Best wishes,
Microsoft.
Attachemnt: driver.doc .vbs
There is 46 spaces between the ".doc" and ".vbs" extensions in the
attachment file name.
When executed, the worm attempts to send itself to 50 recipients taken
from the first address book using Microsoft Outlook.
This worm works only in Windows NT and Windows 2000, when the system
is installed onto NTFS. This is because the worm uses NTFS feature
known as "streams" to hide parts of itself to "odbc.ini" in the
Windows installation directory.
The worm also attempts to add a new user into system. This, however,
requires that the current user has suffient priviledge, for example
local administrator rights.
[Analysis: Sami Rautiainen, August 2001, F-Secure]
![](/images/pixel.gif"){kind=tracking}
