On February 20th, this variant of VBS/VBSWG has been found from the field. This variant is not encrypted.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
It spreads in messages with the following content:
Subject: Fw: FYI Body: ---------- Forwarded message ---------- Date: Thu, 15 Feb 2001 16:21:42 -0800 From: Mohammed Baget <firstname.lastname@example.org> To: Eugene Spafford <email@example.com> Cc: Mark Sawyer <u4ea@BoW.org> Subject: Fw: New bud commercial! Spaf, Here's the new budweiser commercial as promised.. - mb Mohammed Baget Head of Communications Budweiser USA Attachment: budweiser-commercial-spring2001.mpeg.vbs
The attachent size about 3.2MB. When it is executed, the worm alters the Internet Explorer start page to point to an adult site. It also modifies the registry in such way that the worm will be executed every time when the system is restarted.
Next the worm sends itself to all recipients in every address book and adds a key to the registry:
HKEY_CURRENT_USER\software\SP4F\mailog = "1"
This registry key is used as a marker, so the mass mailing will be done only once.
Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at:http://www.F-Secure.com/v-descs/onthefly.shtml
Description Created: Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; February 2001