Summary

On February 20th, this variant of VBS/VBSWG has been found from the field. This variant is not encrypted.

Additional Details

It spreads in messages with the following content:

    Subject:    Fw: FYI

    Body:       ---------- Forwarded message ----------

                Date: Thu, 15 Feb 2001 16:21:42 -0800
                From: Mohammed Baget <mb@budweiser.com>
                To: Eugene Spafford <spaf@cs.purdue.edu>
                Cc: Mark Sawyer <u4ea@BoW.org>

                Subject: Fw: New bud commercial!

                Spaf,

                Here's the new budweiser commercial as promised..

                - mb

                Mohammed Baget
                Head of Communications
                Budweiser USA

    Attachment: budweiser-commercial-spring2001.mpeg.vbs

The attachent size about 3.2MB. When it is executed, the worm alters the Internet Explorer start page to point to an adult site. It also modifies the registry in such way that the worm will be executed every time when the system is restarted.

Next the worm sends itself to all recipients in every address book and adds a key to the registry:

    HKEY_CURRENT_USER\software\SP4F\mailog = "1"

This registry key is used as a marker, so the mass mailing will be done only once.





Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: http://www.F-Secure.com/v-descs/onthefly.shtml

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; February 2001]