Network.VBS or the VBS.Netlog Worm
How to Detect it and Remove It

What is Network.VBS or the Netlog Worm?
Network.VBS is a fairly interesting Visual Basic Scripting worm similar to the infamous LoveLetter (ILOVEYOU) worm. Windows 95, Windows 98, Windows NT, and Windows 2000 machines can be vulnerable to this worm. if the Windows Scripting Host is installed. Most of today's viruses are spread via email and email attachments, however the network.vbs worm is spread through open shares on a computer or computer network.

I had just built a system the day before it attack me and added it to my home network. The new computer probably hadn't been online more than 12 hours when I first noticed a problem. My entire network started to slow down and when attempting to open Network Neighborhood from the infected machine, I couldn't reach any of the other computers on my home network. Upon further investigation, I found the network.vbs file and promptly removed all instances of it. Now this machine was dialing up to the Internet using standard Windows Dial-Up Networking via a 56K modem. It wasn't on some superfast DSL, T1, or cable modem and within 12 hours online was infected.

I use this extreme example of how I was infected to illustrate a point about viruses and Internet security. A worm such as this could be exploited to install remote control tools such as Back Orifice or be used in Distributed Denial of Service attacks such as the attacks that occurred earlier in 2000 against numerous high profile sites. A user could use this sort of worm to compile a list of vulnerable machines then quickly install such remote access tools and cause a lot of destruction.

How Does the Worm Spread?

The worm first opens a log file as c:\network.log and records a copy of all the machines that it attempts to infect. The worm generates a random IP address and records it in the log file, it then attempts to connect the host to the random IP address. If the attempt to connect is unsuccessful it will generate a new IP address and attempt to use that instead. This will continue until it is able to successfully connect to another IP address. Thus the worm spread throughout a computer network or across the Internet virtually undetected.

During infection, Network will remap shared drives on its host to J: and will then copy itself to the file network.vbs which will be created in the following locations:

j:\
j:\windows\startm~1\programs\startup\
j:\windows\
j:\windows\start menu\programs\startup\
j:\win95\start menu\programs\startup\
j:\win95\startm~1\programs\startup\
j:\win95\

By remapping the drives to J: and copying network.vbs to these locations, the worm will automatically be reloaded when the Windows machine is restarted. This file should not be confused with the harmless example VBS file network.vbs that is normally in the "samples\wsh" folder of machines with Windows Scripting Host installed. The worm's network.vbs file is approximately 2.5KB, whereas the WSH example script is over 5KB. This worm will remap drive letters and will generate extra network traffic but does not contain a deliberately destructive payload.

How to Clean/Delete the Network.vbs worm

Cleaning the worm is fairly simple. Using the Windows FIND command located under the Start Menu, search for a file called network.vbs and delete all instances of it EXCEPT the one located in C:\WINDOWS\SAMPLES\WSH which is a harmless example script.

Deleting all instances of the network.vbs file will clean your system of the infection.

** Added September 20, 2000
A Variant of the netlog worm has been found. To clean your system of this variant. Search for network.exe as well as the network.vbs files and delete them. They should be located in the Startup folder. This cleans your system of the Netlog.B variant of the worm.

More Information about Open File and Printer Sharing

Read a great article about File and Printer Sharing and the Internet from PC HELP

http://www.nwi.net/~pchelp/security/issues/sharing.htm

Computer Security and the Internet: How to Protect Yourself

 

 space.gif (58 bytes)

 

Search PCHell.com
site search by freefind advanced

 



Tools for Removing Spyware, Adware, and Malware

PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 





iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.
Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware		 iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic® 		Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell
Google