Trojan.Win32.Netlog

Class Trojan
Platform Win32
Description

Technical Details

This is a worm written in Visual Basic Script language (VBS). It spreads through a network by coping itself to other computers in the network.

Upon being activated, the worm generates a random network IP address (for example 145.65.28.0), and tries to connect to all computers in this network. It changes the last octet of an address from 1 to 255 and tries to connect. If the connection is accepted, the worm copies itself to a connected computer on
drive C: in the following folders:

C:
C:WINDOWSSTARTM~1PROGRAMSSTARTUP
C:WINDOWS
C:WINDOWSSTART MENUPROGRAMSSTARTUP
C:WIN95START MENUPROGRAMSSTARTUP
C:WIN95STARTM~1PROGRAMSSTARTUP
C:WIND95

If all computers in this network are inaccessible, the worm generates a new network IP address.

The worm creates a file “C:NETWORK.LOG”. In this file, the worm writes all of its activities. The file content appears as follows:

Log file Open
Subnet : 145.65.28.0
Subnet : 23.44.93.0
Subnet : 50.112.201.0
Subnet : 176.3.138.0
Copying files to : \176.3.138.5�
Successfull copy to : \176.3.138.5�

The spreading ability of this worm is very low, because search of a victim computer takes a lot of time and most computers reject a requested connection.