Symantec United States
global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


1995-2001 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy

security updates
Level 4

VBS.SST@mm

Discovered on: February 12, 2001
Last Updated on: February 12, 2001 at 01:47:42 PM PST

VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. The worm arrives as an attachment named AnnaKournikova.jpg.vbs When executed, the worm emails itself to everyone in your Microsoft Outlook book. On January 26, the worm will attempt to direct your Web browser to an Internet address located in The Netherlands.

This worm appears to have originated in the Netherlands

Also Known As: VBS.Lee-o, VBS.OnTheFly

Category: Worm

Infection Length: 2853

Virus Definitions: February 12, 2001

Threat Assessment:

High Low High
Wild:
High
Damage:
Low
Distribution:
High

Wild:

Damage:

Distribution:

Technical description:

When run the worm creates the registry key:

HKEY_CURRENT_USER\Software\OnTheFly

If the day is January 26, the worm attempts to direct your Web browser to an Internet address in The Netherlands.

Next, it checks to see if the mass-mailing routine has been executed. If not, the worm emails everyone in your Microsoft Outlook address book and creates the registry key:

HKEY_CURRENT_USER\Software\OnTheFly\mailed

This prevents the mail routine from running again.

The subject, body, and attachment sent by the worm are as follows:

Subject:

Here you have, ;o)

Message body:

Hi:
Check This!

Attachment:

AnnaKournikova.jpg.vbs

The worm then remains running, and if it is deleted, it attempts to recreate itself. Due to a bug in the code, the worm instead recreates itself as a zero-byte file.

Removal instructions:

  1. Pre-certified definitions are available at here.
  2. Delete all found infections. If exists, delete the zero-byte file.
  3. Remove the following registry keys:

HKEY_CURRENT_USER\Software\OnTheFly
HKEY_CURRENT_USER\Software\OnTheFly\mailed


    Write-up by: Eric Chien and Neal Hindocha

     Tell a Friend about this Write-Up

    Security Updates
    Symantec AntiVirus Research Center and SWAT
    Download Virus Definitions
    Keep your protection up to date
    Virus Encyclopedia
    Search for Information on Viruses, Worms and Trojan Horses
    Virus Hoaxes
    Information on Virus Hoaxes
    Newsletter
    Email Sent from the Symantec AntiVirus Research Center
    Virus Calendar
    Monthly Calendar Listing Trigger Dates for Viruses
    Reference Area
    Learn About Virus Detection Technologies
    Submit Virus Samples
    Send Suspected Threats for Review