For Consumer

Virus Profile: VBS/Netlog.worm.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/2/2000
Date Added: 2/3/2000
Origin: Internet connection
Length: 2,429
Type: Trojan
Subtype: VbScript
DAT Required: 4065
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Existence of the NETWORK.LOG and NETWORK.VBS files as described above. Note that a normal Windows system will have a file called "c:\windows\wsh\samples\network.vbs" which is innocent and not related to this worm.

Methods of Infection

Running this file will directly install to the local machine and then it will begin scanning for available shares over the Internet.

Aliases

Network.vbs, Trojan.Win32.Netlog
   

Virus Characteristics

This is a new Internet-aware VBScript worm. The sample Avert received is 2,429 bytes long. The interesting thing about it is that a person does not have to manually run a VBScript file, or read an e-mail message to get infected; it spreads over open network shares.

The first thing it does is look for the file "c:\network.log". If it finds it, it deletes it. Then it creates a new "c:\network.log" file and writes "Log file Open" to it. Then it writes to the "c:\network.log" file this information:

"Subnet : [Random number between 199 and 214].[Random number between 1 and 254].[Random number between 1 and 254].0"

Then it will start to scan the addresses. For instance, if it picked 10, 11, and 12, it would start scanning at 10.11.12.1, then 10.11.12.2, then 10.11.12.3, and so on, until it reached 10.11.12.255, and then it would randomly pick a new subnet to scan. After it has scanned 50 subnets in one run, it no longer limits the first part of the Internet address to numbers between 199 and 214, and can pick any address between 1 and 254.

It is completely possible that in a network infection, this worm can act as a DDoS (Distributed Denial of Service) attack due to the nature of DNS server lookup. The operating system will try to find the site generated using all the DNS servers listed. These queries all eventually come back to the listed domain server. When enough computers combine their requests, they eventually overpower the server and it either crashes or can't service all the inbound requests.

When scanning, it uses Windows NetBIOS to look for open shares called "C". These are shared drives that users intended to share with their local network, but inadvertently shared over the entire Internet. It then tries to map the remote drive as drive "J:"!

If it succeeds it writes

"Copying files to : [Network name of remote drive]"

to the "c:\network.log" file.

First as a test, it copies itself to the root directory of the remote drive and checks to see whether the copy was successful. If it was, it writes

"Successful copy to : [Network name of remote drive]"

to the "c:\network.log" file. Then it will copy the network.vbs file to these directories:

"j:\windows\startm~1\programs\startup\"
"j:\windows\"
"j:\windows\start menu\programs\startup\"
"j:\win95\start menu\programs\startup\"
"j:\win95\startm~1\programs\startup\"
"j:\wind95\"

where J: is the remote drive C: the virus mapped earlier. This means that the worm gets control next time the victim starts their computer since J: actually means drive C:.

   
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations