On February 20th, this variant of VBS/VBSWG has been found from the field. This variant is not encrypted.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
It spreads in messages with the following content:
Subject: Fw: FYI Body: ---------- Forwarded message ---------- Date: Thu, 15 Feb 2001 16:21:42 -0800 From: Mohammed Baget
To: Eugene Spafford Cc: Mark Sawyer Subject: Fw: New bud commercial! Spaf, Here's the new budweiser commercial as promised.. - mb Mohammed Baget Head of Communications Budweiser USA Attachment: budweiser-commercial-spring2001.mpeg.vbs
The attachent size about 3.2MB. When it is executed, the worm alters the Internet Explorer start page to point to an adult site. It also modifies the registry in such way that the worm will be executed every time when the system is restarted.
Next the worm sends itself to all recipients in every address book and adds a key to the registry:
HKEY_CURRENT_USER\software\SP4F\mailog = "1"
This registry key is used as a marker, so the mass mailing will be done only once.
Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: http://www.F-Secure.com/v-descs/onthefly.shtml
Description Details: Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; February 2001