F-Secure Virus Descriptions : VBSWG.N@mm
On February 20th, this variant of VBS/VBSWG has been found from the
field. This variant is not encrypted.
It spreads in messages with the following content:
Subject: Fw: FYI
Body: ---------- Forwarded message ----------
Date: Thu, 15 Feb 2001 16:21:42 -0800
From: Mohammed Baget <mb@budweiser.com>
To: Eugene Spafford <spaf@cs.purdue.edu>
Cc: Mark Sawyer <u4ea@BoW.org>
Subject: Fw: New bud commercial!
Spaf,
Here's the new budweiser commercial as promised..
- mb
Mohammed Baget
Head of Communications
Budweiser USA
Attachment: budweiser-commercial-spring2001.mpeg.vbs
The attachent size about 3.2MB. When it is executed, the worm alters
the Internet Explorer start page to point to an adult site. It also
modifies the registry in such way that the worm will be executed every
time when the system is restarted.
Next the worm sends itself to all recipients in every address book and
adds a key to the registry:
HKEY_CURRENT_USER\software\SP4F\mailog = "1"
This registry key is used as a marker, so the mass mailing will be
done only once.
Information about the original VBS/Onthefly.A (also known as
I-Worm.Lee.o and VBS/VBSWG) is available at:
http://www.F-Secure.com/v-descs/onthefly.shtml
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; February 2001]
|
![](/images/pixel.gif"){kind=tracking}
