This is a new Internet-aware VBScript worm. The sample Avert received is 2,429 bytes long. The interesting thing about it is that a person does not have to manually run a VBScript file, or read an e-mail message to get infected; it spreads over open network shares.
The first thing it does is look for the file "c:\network.log". If it finds it, it deletes it. Then it creates a new "c:\network.log" file and writes "Log file Open" to it. Then it writes to the "c:\network.log" file this information:
"Subnet : [Random number between 199 and 214].[Random number between 1 and 254].[Random number between 1 and 254].0"
Then it will start to scan the addresses. For instance, if it picked 10, 11, and 12, it would start scanning at 10.11.12.1, then 10.11.12.2, then 10.11.12.3, and so on, until it reached 10.11.12.255, and then it would randomly pick a new subnet to scan. After it has scanned 50 subnets in one run, it no longer limits the first part of the Internet address to numbers between 199 and 214, and can pick any address between 1 and 254.
It is completely possible that in a network infection, this worm can act as a DDoS (Distributed Denial of Service) attack due to the nature of DNS server lookup. The operating system will try to find the site generated using all the DNS servers listed. These queries all eventually come back to the listed domain server. When enough computers combine their requests, they eventually overpower the server and it either crashes or can't service all the inbound requests.
When scanning, it uses Windows NetBIOS to look for open shares called "C". These are shared drives that users intended to share with their local network, but inadvertently shared over the entire Internet. It then tries to map the remote drive as drive "J:"!
If it succeeds it writes
"Copying files to : [Network name of remote drive]"
to the "c:\network.log" file.
First as a test, it copies itself to the root directory of the remote drive and checks to see whether the copy was successful. If it was, it writes
"Successful copy to : [Network name of remote drive]"
to the "c:\network.log" file. Then it will copy the network.vbs file to these directories:
where J: is the remote drive C: the virus mapped earlier. This means that the worm gets control next time the victim starts their computer since J: actually means drive C:.