Porn VBS Worm Recalls Visions of Anna Kournikova

Though numerous Visual Basic Script (VBS) bugs in the past year (and
earlier) have time and again showcased the dangers of not filtering VBS
e-mail attachments, many companies appear not to have gotten the message —
as illustrated by the rapid proliferation of a new worm dubbed Homepage or
VBS.VBSWG2.

The worm arrives with the subject FW: Homepage. It was discovered in the
wild Wednesday and a number of security firms have already classified it as
high risk. U.K.-based MessageLabs, U.K.-based Sophos, Finland-based F-Secure
and U.S.-based Symantec have all received reports of the worm.

Homepage bears many similarities to the Anna Kournikova virus — also known
as OnTheFly — that spread like wildfire in February. But whereas Anna Kournikova lured
recipients to open its attachment by promising a .jpg of the Russian tennis
star, Homepage arrives with the message: “Hi! You’ve got to see this page!
It’s really cool ;O)”

When a recipient opens the VBS attachment, the worm mass mails itself to
each address in the recipient’s address book and then deletes all messages
which contain the subject ‘Homepage.’ It then creates the following registry
key: HKCUsoftwareAnmailed. The key marks that the mailing has been done.

After the mass mailing is completed, the worm randomly opens one of four
pornographic Web sites with Internet explorer.

The worm does not damage infected machines, and only machines using
Microsoft Outlook can spread it.

The worm was created through a VBS Worm Generator called VBSWG.x.