Porn VBS Worm Recalls Visions of Anna Kournikova
Page 1 of 1
Though numerous Visual Basic Script (VBS) bugs in the past year (and earlier) have time and again showcased the dangers of not filtering VBS e-mail attachments, many companies appear not to have gotten the message -- as illustrated by the rapid proliferation of a new worm dubbed Homepage or VBS.VBSWG2.
The worm arrives with the subject FW: Homepage. It was discovered in the wild Wednesday and a number of security firms have already classified it as high risk. U.K.-based MessageLabs, U.K.-based Sophos, Finland-based F-Secure and U.S.-based Symantec have all received reports of the worm.
Homepage bears many similarities to the Anna Kournikova virus -- also known as OnTheFly -- that spread like wildfire in February. But whereas Anna Kournikova lured recipients to open its attachment by promising a .jpg of the Russian tennis star, Homepage arrives with the message: "Hi! You've got to see this page! It's really cool ;O)"
When a recipient opens the VBS attachment, the worm mass mails itself to each address in the recipient's address book and then deletes all messages which contain the subject 'Homepage.' It then creates the following registry key: HKCU\software\An\mailed. The key marks that the mailing has been done.
After the mass mailing is completed, the worm randomly opens one of four pornographic Web sites with Internet explorer.
The worm does not damage infected machines, and only machines using Microsoft Outlook can spread it.
The worm was created through a VBS Worm Generator called VBSWG.x.