Threat Descriptions

VBSWG.K@mm

Classification

Category :

Malware

Type :

Worm

Platform :

VBS

Aliases :

VBSWG.K@mm, Onthefly.B

Summary

At February 16th, a variant of VBS/Onthefly is spreading via email messages.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The messages have the following German content:

Subject:

Neues von Ihrem Internetdienstleister - Robert T. Online informiert

 Body:
 Sehr geehrter Internetsurfer es hat sich einiges bei uns getan. Die Telekom
 kann auch Ihre Internetkosten reduzieren. Wir haben auch fur Sie den
 richtigen Tarif...Damit auch Sie sich entscheiden konnen, haben wir eine
 ubersicht aller fur Sie relevanter Termine an diese eMail gehangt. Wir sind
 Sicher, auch Sie werden Ihren Wunschtarif finden.
 Bei fragen stehen wir Ihnen naturlich jederzeit zur Verfugung...
 Ihr T-Online Service Team

 Attachment: Neue Tarife.txt.vbs

In English the message subject and body are as follows:

Subject:

News from your Internetserviceprovider - Robert T. Online informs

 Body:
 Dear Internetsurfer, several things changed at our side. Telekom can reduce
 also your Internet charges. We also have for you the right rate...To be
 able to decide, we have attached an overview of the relevant dates to this
 mail. We are sure, also you will find your prefered rate.
 If you have questions, you can of course contact us...
 Your T-Online Service Team

When the attached file is executed, the worm will mail itself to the each recipient in every address book. After mass mailing have been done, this variant adds the following key to the registry: 

HKEY_CURRENT_USER\software\mailed

This variant also replicates using mIRC and Pirch IRC clients.

There is also a version that is not encrypted. However, due a bug it does not replicate.

Information about the original VBS/Onthefly.A (also known as I-Worm.Lee.o and VBS/VBSWG) is available at: https://www.F-Secure.com/v-descs/onthefly.shtml