At February 16th, a variant of VBS/VBSWG was spreading within messages that have the following content:
Subject: Info Reformasi Body: Maklumat Terkini... Attachment: r4mac.vbs
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
When the attached file is executed, the worm will mail itself to the each recipient in every address book. After mass mailing the following key is added to the registry:
This variant also replicates using mIRC and Pirch IRC clients. It replaces the "script.ini" from mIRC and "events.ini" from Pirch installation directories, causing that the worm will send itself to the IRC user that joins the channel where an infected user is.
VBSWG.Q also goes trough all local and network drivers from the system, and replaces every file with either ".vbs" or ".vbe" extension with itself. It also attempts to locate mIRC and Pirch installations from these drives.
This variant activates its payload at September 7th, when it launches a web browser and connects to Malaysian web site.
Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: https://www.F-Secure.com/v-descs/onthefly.shtml
Date Created: -
Date Last Modified: -