At February 16th, a variant of VBS/VBSWG was spreading within messages that have the following content:
Subject: Info Reformasi Body: Maklumat Terkini... Attachment: r4mac.vbs
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
When the attached file is executed, the worm will mail itself to the each recipient in every address book. After mass mailing the following key is added to the registry:
This variant also replicates using mIRC and Pirch IRC clients. It replaces the "script.ini" from mIRC and "events.ini" from Pirch installation directories, causing that the worm will send itself to the IRC user that joins the channel where an infected user is.
VBSWG.Q also goes trough all local and network drivers from the system, and replaces every file with either ".vbs" or ".vbe" extension with itself. It also attempts to locate mIRC and Pirch installations from these drives.
This variant activates its payload at September 7th, when it launches a web browser and connects to Malaysian web site.
Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: https://www.F-Secure.com/v-descs/onthefly.shtml