Last revised: February 13, 2001
Source: CERT/CC
A complete revision history can be found at the end of this file.
The "VBS/OnTheFly" malicious code is a VBScript program that spreads via
email. As of 7:00 pm EST(GMT-5) Feb 12, 2001, the CERT Coordination
Center had received reports from more than 100 individual sites. Several
of these sites have reported suffering
network degradation as a result of mail traffic
generated by the "VBS/OnTheFly" malicious code. This malicious code can infect a
system if the enclosed email
attachment is run. Once the malicious code has executed on a system, it
will take the actions described in the Impact
section. When the malicious code executes, it attempts to send copies of itself,
using Microsoft Outlook, to all entries in each of the address books. The
sent mail has the following characteristics:
Users who receive copies of the malicious code via electronic mail will
probably recognize the sender. We encourage users to avoid
executing code, including VBScripts, received through electronic mail,
regardless of the sender's name, without prior knowledge of the
origin of the code or a valid digital signature. It is possible for the recipients to be be tricked into opening this
malicious attachment since file will appear without the .VBS extension if
"Hide file extensions for known file types" is turned on in Windows. When the attached VBS file is executed, the malicious code attempts to modify
the registry by creating the following key:
Beyond this effect, there does not appear to be a destructive payload
associated with this malicious code. However, historical data has shown that
the intruder community can quickly modify the code for more destructive
behavior.
It is important for users to update their anti-virus software.
Some anti-virus software vendors have released updated information,
tools, or virus databases to help combat this malicious code. A
list of vendor-specific anti-virus information can be found in Appendix A.
You may also find the following document on Outlook security useful
The Outlook E-mail security update provides features that can prevent
attachments containing executable content from being displayed to
users. Other types of attachments can be configured so that they
must be saved to disk before they can be opened (or executed). These
features may greatly reduce the chances that a user will incorrectly
execute a malicious attachment.
Sites can use email filtering techniques to delete messages
containing subject lines known to contain the malicious code, or can filter
attachments outright.
Exercise caution when receiving email with attachments. Users should disable
auto-opening or previewing of email attachments in their mail
programs. Users should never open attachments from an untrusted
origin, or that appear suspicious in any way. Finally,
cryptographic checksums should also be used to validate the
integrity of the file.
False upgrade to Internet Explorer - discussed in CA-99-02
http://www.cert.org/advisories/CA-1999-02.html
Happy99.exe Trojan Horse - discussed in IN-99-02
http://www.cert.org/incident_notes/IN-99-02.html
CIH/Chernobyl virus - discussed in IN-99-03
http://www.cert.org/incident_notes/IN-99-03.htm
This document was written by Cory Cohen, Roman Danyliw, Ian Finlay,
John Shaffer, Shawn Hernan, Kevin Houle, Brian B. King, and Shawn Van
Ittersum.
Copyright 2001 Carnegie Mellon University. Revision History
Systems Affected
Users of Microsoft Outlook who have not applied previously available security updates.
Overview
I. Description
Here you have, ;o)"
Hi:
Check This!
"AnnaKournikova.jpg.vbs"
II. Impact
Next, the it will then place a copy of itself into the Windows directory.
Finally, the malicious code will attempt to send separate, infected email
messages to all recipients in the Windows Address Book. Once the
mail has been sent, the malicious code creates the following registry key to
prevent future mailings of the malicious code.
The code's propagation can lead to congestion in mail
servers that may prevent them from functioning as expected.
III. Solution
Update Your Anti-Virus Product
Apply the Microsoft Outlook E-mail Security Update
To protect against this malicious code, and others like it, users of Outlook 98 and 2000 may want to
install the Outlook E-mail Security update included in an Outlook SR-1.
More information about this update is available at
http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm
http://www.microsoft.com/office/outlook/downloads/security.htm
Filter the Virus in Email
Exercise Caution When Opening Attachments
IV. General protection from email Trojan horses and viruses
Some previous examples of malicious files known to have propagated
through electronic mail include:
Melissa macro virus - discussed in CA-99-04
http://www.cert.org/advisories/CA-1999-04.html
In each of the above cases, the effects of the malicious file are
activated only when the file in question is executed. Social
engineering is typically employed to trick a recipient into executing
the malicious file. Some of the social engineering techniques we have
seen used include
The best advice with regard to malicious files is to avoid executing them in
the first place. CERT advisory CA-1999-02.html and the following CERT tech tip
discuss malicious code and offers suggestions to avoid them.
http://www.cert.org/advisories/CA-1999-02.html
Tech tip: Protecting yourself from Email-borne Viruses and Other Malicious Code During Y2K and Beyond
Appendix A. - Vendor Information
Appendix A. Anti-Virus Vendor Information
Aladdin Knowledge Systems
http://www.aks.com/home/csrt/valerts.asp#AnnaK
Command Software Systems, Inc.
http://www.commandcom.com/virus/vbsvwg.html
Computer Associates
http://ca.com/virusinfo/virusalert.htm#vbs_sstworm
F-Secure
http://www.f-secure.com/v-descs/onthefly.shtml
Finjan Software, Ltd.
http://www.finjan.com/attack_release_detail.cfm?attack_release_id=47
McAfee
http://www.mcafee.com/anti-virus/viruses/vbssst/default.asp
Dr. Solomon, NAI
http://vil.nai.com/vil/virusSummary.asp?virus_k=99011
Sophos
http://www.sophos.com/virusinfo/analyses/vbsssta.html
Symantec
http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html
Trend Micro
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS_KALAMAR.A
You may wish to visit the CERT/CC's Computer Virus Resources Page located at:
http://www.cert.org/other_sources/viruses.html
February 12, 2001: Initial release
February 13, 2001: Corrected registry key in Impact section