At February 16th, a variant of VBS/VBSWG was spreading within messages that have the following content:
Subject: Info Reformasi Body: Maklumat Terkini... Attachment: r4mac.vbs
Disinfection & Removal
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
When the attached file is executed, the worm will mail itself to the each recipient in every address book. After mass mailing the following key is added to the registry:
This variant also replicates using mIRC and Pirch IRC clients. It replaces the "script.ini" from mIRC and "events.ini" from Pirch installation directories, causing that the worm will send itself to the IRC user that joins the channel where an infected user is.
VBSWG.Q also goes trough all local and network drivers from the system, and replaces every file with either ".vbs" or ".vbe" extension with itself. It also attempts to locate mIRC and Pirch installations from these drives.
This variant activates its payload at September 7th, when it launches a web browser and connects to Malaysian web site.
Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: http://www.F-Secure.com/v-descs/onthefly.shtml
Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure; February 2001