VBS.SST@mm

Discovered on: February 12, 2001 

Last Updated on: February 28, 2001 at 07:04:54 PM PST 

VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. This worm 
arrives as an attachment named AnnaKournikova.jpg.vbs. When executed, the worm emails itself
to everyone in your Microsoft Outlook address book. On January 26, the worm will attempt to 
direct your Web browser to an Internet address in The Netherlands, from where the worm 
appears to have originated. 

Also Known As: VBS.Lee-o, VBS.OnTheFly, VBS.Vbswg.gen, Anna Kournikova, VBS/VBSWG.J@mm 

Category: Worm 

Infection Length: 2853 

Virus Definitions: February 12, 2001 

Threat Assessment: 

   
Wild: High  
Damage: Low  
Distribution: High  
 

Wild: 

Number of infections: 50 - 999 
Number of sites: More than 10 
Geographical distribution: High 
Threat containment: Easy 
Removal: Easy 
Damage: 

Payload Trigger: January 26 
Payload: Directs Web browser to http://www.dynabyte.nl 
Distribution: 

Subject of email: Here you have, ;o) 
Name of attachment: AnnaKournikova.jpg.vbs 
Size of attachment: 2853 

Technical description: 

When run, the worm creates the following registry key:

HKEY_CURRENT_USER\Software\OnTheFly

If the worm is run on January 26, it attempts to direct your Web browser to an Internet 
address in The Netherlands.

Next, it checks to see if the mass-mailing routine has been executed. If not, the worm 
emails everyone in your Microsoft Outlook address book and sets the following key value 
equal to "1" (this is equivalent to true):

HKEY_CURRENT_USER\Software\OnTheFly\mailed

This prevents the mail routine from running again.

The subject, body and attachment sent by the worm are as follows:

Subject:

Here you have, ;o)

Message body:

Hi:
Check This!

Attachment:

AnnaKournikova.jpg.vbs

The worm continues running, and if it is deleted, it attempts to recreate itself. Due to a 
bug in the code, the worm instead recreates itself as a zero-byte file.



Removal instructions: 


Please make sure your Anti-Virus Program Definitions are Up-To Date and run a thorough Scan 
over your Hard Drive.  Either Delete the Infected files found Manually or tell your 
Anti-Virus Program to remove it Auto-matically.

    Source: geocities.com/timessquare/alley/2794

               ( geocities.com/timessquare/alley)                   ( geocities.com/timessquare)