When executed, VBS/Netlog creates a log file, "c:\network.log" and writes the following line to it:
Log file Open
Then the worm enters in an infinite loop. The worm begins the loop with the generation of a random IP class C subnet address. At first the first number of the IP address is a random number between 199 and 214, but after 50 iterations in the loop the number range is from 1 to 254. Second and third numbers of the IP address are always between 1 and 254. After the IP address has been generated the worm writes this to its log file:
where an asterisk ("*") is replaced with a number.
The VBS/Netlog goes trough the entire subnet address space (1-254) and looks a share named "C" from each machine. This is the default name for a shared "C:" drive.
If the share is found, the worm maps the remote drive to local machine as "J:" drive and adds one line to the log file:
Copying files to
Then it copies itself to the following locations in the remote share:
By doing this it infects the remote machine. When the remote machine is restarted, the worm will be executed.
The following line will be added to the log file if files were copied:
Successfull copy to
Finally the worm takes the next address in the subnet, or chooses the next random IP address and starts again.
This variant consists of two files. It copies itself only to:
It maps the remote drive to local machine as "Z:" (not "J:" as the VBS/Netlog.A variant does).
When it creates the log file "c:\network.log", the added line is different as well:
Copyright (c) 1993-1995 Microsoft Corp.