VBS.SST@mm

VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. The worm arrives as an attachment named AnnaKournikova.jpg.vbs When executed, the worm emails itself to everyone in your Microsoft Outlook book. On January 26, the worm will attempt to direct your Web browser to an Internet address located in The Netherlands.

This worm appears to have originated in the Netherlands

Also Known As: VBS.Lee-o, VBS.OnTheFly

Category: Worm

Infection Length: 2853

Virus Definitions: February 12, 2001

Threat Assessment:

Wild: High

Damage: Low

Distribution: High

Wild:

• Number of infections: 50 - 999
• Number of sites: More than 10
• Geographical distribution: High
• Threat containment: Easy
• Removal: Easy

Damage:

• Payload Trigger: January 26
• Payload: Directs Web browser to an Internet address in The Netherlands.

Distribution:

• Subject of email: Here you have, ;o)
• Name of attachment: AnnaKournikova.jpg.vbs
• Size of attachment: 2853

Technical description:

When run the worm creates the registry key:

HKEY_CURRENT_USER\Software\OnTheFly

If the day is January 26, the worm attempts to direct your Web browser to an Internet address in The Netherlands.

Next, it checks to see if the mass-mailing routine has been executed. If not, the worm emails everyone in your Microsoft Outlook address book and creates the registry key:

HKEY_CURRENT_USER\Software\OnTheFly\mailed

This prevents the mail routine from running again.

The subject, body, and attachment sent by the worm are as follows:

Subject:

Here you have, ;o)

Message body:

Hi:
Check This!

Attachment:

AnnaKournikova.jpg.vbs

The worm then remains running, and if it is deleted, it attempts to recreate itself. Due to a bug in the code, the worm instead recreates itself as a zero-byte file.

Removal instructions:

1. Pre-certified definitions are available at here.
2. Delete all found infections. If exists, delete the zero-byte file.
3. Remove the following registry keys:

Write-up by: Eric Chien and Neal Hindocha