VBS/Netlog.A is a worm written in Visual Basic Script. It is able of spreading on shared disks in local computer network. When it is run it checks the existence of a file c:\network.log. If such a file exists it will be deleted. Then the worm creates file c:\network.log and will use it to save information on its activities.
Next activity the worm performs is an infinite loop. It generates a random IP address in the form A.B.C.1 where A is from the range 199-214, B and C from the range 0-255. Starting from the 51st generated IP address also the first of the IP address numbers is generated from the range 0-255. It means that the worm generates IP addresses of sub-networks of C type which may contain 255 addresses.
In the next step the worm tries to gradually map disk C: on each of the IP addresses belonging to the gained addresses space. It will continue until it succeeds. It maps disk always on the letter J:
To a network disk mapped in this way (as disk J:) the worm then tries to copy its copies into the following directories:

j:\windows\startm~1\programs\startup\
j:\windows\
j:\windows\start menu\programs\startup\
j:\win95\start menu\programs\startup\
j:\win95\startm~1\programs\startup\
j:\wind95\

If copying was successful as the result the worm will be executed on the remote computer after its restart. In the end the worm closes the network connection and displays message.

In the file c:\network.log the worm keeps record of its activity. It looks as follows:

Log file Open
Subnet : 211.16.99.0
Successfull copy to : 211.16.99.34/C

A peculiarity about this worm is the fact that it contains a code for displaying a message announcing the end of its activities, as it does its development version VBS/Netlog.gen, but this is never displayed.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.