VBS.SST@mm
Discovered on: February 12, 2001
Last Updated on: February 28, 2001 at 07:04:54 PM PST
VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. This worm
arrives as an attachment named AnnaKournikova.jpg.vbs. When executed, the worm emails itself
to everyone in your Microsoft Outlook address book. On January 26, the worm will attempt to
direct your Web browser to an Internet address in The Netherlands, from where the worm
appears to have originated.
Also Known As: VBS.Lee-o, VBS.OnTheFly, VBS.Vbswg.gen, Anna Kournikova, VBS/VBSWG.J@mm
Category: Worm
Infection Length: 2853
Virus Definitions: February 12, 2001
Threat Assessment:
Wild: High
Damage: Low
Distribution: High
Wild:
Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Easy
Damage:
Payload Trigger: January 26
Payload: Directs Web browser to http://www.dynabyte.nl
Distribution:
Subject of email: Here you have, ;o)
Name of attachment: AnnaKournikova.jpg.vbs
Size of attachment: 2853
Technical description:
When run, the worm creates the following registry key:
HKEY_CURRENT_USER\Software\OnTheFly
If the worm is run on January 26, it attempts to direct your Web browser to an Internet
address in The Netherlands.
Next, it checks to see if the mass-mailing routine has been executed. If not, the worm
emails everyone in your Microsoft Outlook address book and sets the following key value
equal to "1" (this is equivalent to true):
HKEY_CURRENT_USER\Software\OnTheFly\mailed
This prevents the mail routine from running again.
The subject, body and attachment sent by the worm are as follows:
Subject:
Here you have, ;o)
Message body:
Hi:
Check This!
Attachment:
AnnaKournikova.jpg.vbs
The worm continues running, and if it is deleted, it attempts to recreate itself. Due to a
bug in the code, the worm instead recreates itself as a zero-byte file.
Removal instructions:
Please make sure your Anti-Virus Program Definitions are Up-To Date and run a thorough Scan
over your Hard Drive. Either Delete the Infected files found Manually or tell your
Anti-Virus Program to remove it Auto-matically.
               (
geocities.com/timessquare/alley)                   (
geocities.com/timessquare)