VBS/Potok is a mass mailing worm written in Visual Basic Script.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
The message that the worm spreads has the following content:
Subject: New Generation of drivers. Body: Microsoft has published new driver for all types Video Cards, compatible with Windows 95/98/NT/2000/XP. You can read about it in attachment document. Best wishes, Microsoft. Attachemnt: driver.doc .vbs
There is 46 spaces between the ".doc" and ".vbs" extensions in the attachment file name.
When executed, the worm attempts to send itself to 50 recipients taken from the first address book using Microsoft Outlook.
This worm works only in Windows NT and Windows 2000, when the system is installed onto NTFS. This is because the worm uses NTFS feature known as "streams" to hide parts of itself to "odbc.ini" in the Windows installation directory.
The worm also attempts to add a new user into system. This, however, requires that the current user has suffient priviledge, for example local administrator rights.
Technical Details:Sami Rautiainen, August 2001, F-Secure