[RESOLVED] vbs.sst@mm

February 28th, 2001, 08:55 AM

I am having a problem with a system. Norton picked up viruses in the windows\temp directory. It says they are vbs.sst@mm I can delete them, but as soon as I do, it replaces them. I have also tried deleting the entire temp folder, as soon as windows rebuilds it, the virus comes back. Any ideas?

------------------
Everywhere you go, there you are...

cyberhh · February 28th, 2001, 09:50 AM

What is the infected file and how good are your programming skills?

If the infected file is a .VBS file then you are infected with a VBS virus (remember I Love You and Kornikova?) Do a search of your hard drive for *.vbs - anything questionable - delete. Search for *.htm, *.html - anything questionable delete.

Check symantec's site do a search for that virus in the encyclopedia on thier site and read about how it operates.

All else tried and it still comes back - copy the original file to a disk and print the file from a machine that has a clean install of Windows on it and has no data, nor is connected to any network drive shares. Print the file and look at what it does, then undo it.

------------------
Death is lighter than a feather - duty heavier than a mountian.

cyberhh · February 28th, 2001, 09:56 AM

Okay, second Update: Your virus definitions should be 02/12/2001 or later - nothing else will catch this.

vbs.sst@mm is the anna kornikova virus.
VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. This worm arrives as an attachment named AnnaKournikova.jpg.vbs. When executed, the worm emails itself to everyone in your Microsoft Outlook address book. On January 26, the worm will attempt to direct your Web browser to an Internet address in The Netherlands, from where the worm appears to have originated.

Also Known As: VBS.Lee-o, VBS.OnTheFly, VBS.Vbswg.gen, Anna Kournikova, VBS/VBSWG.J@mm

When run, the worm creates the following registry key:

HKEY_CURRENT_USER\Software\OnTheFly

If the worm is run on January 26, it attempts to direct your Web browser to an Internet address in The Netherlands.

Next, it checks to see if the mass-mailing routine has been executed. If not, the worm emails everyone in your Microsoft Outlook address book and sets the following key value equal to "1" (this is equivalent to true):

HKEY_CURRENT_USER\Software\OnTheFly\mailed

This prevents the mail routine from running again.

The subject, body and attachment sent by the worm are as follows:

Subject:

Here you have, ;o)

Message body:

Hi:
Check This!

Attachment:

AnnaKournikova.jpg.vbs

The worm continues running, and if it is deleted, it attempts to recreate itself. Due to a bug in the code, the worm instead recreates itself as a zero-byte file.

Removal instructions:

Virus definitions dated February 12, 2001, or later will detect this worm. To remove VBS.SST@mm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. If any files are detected as infected by VBS.SST@mm, click Delete
4. (Optional) Delete the following registry key:

HKEY_CURRENT_USER\Software\OnTheFly

Additional information:

The following information is for network administrators of corporate versions of Norton AntiVirus.

For corporate users, Symantec Technical Support recommends the following

1. Make sure virus definitions are most current.
2. Delete the email. Do not open the attachment.
3. Disable Windows Scripting to prevent VBS files, such as AnnaKournikova.JPEG.VBS, from executing. Filter attachments with a VBS extension.
Microsoft Exchange 2000 in VAPI mode can strip attachments by extension. Contact Microsoft for further information.
Microsoft Exchange Server also provides the ExMerge utility, which can be used to purge the Information Store of messages with a specified subject or attachment name. This can be very useful during a virus crisis. For more information, please see the following Microsoft Articles:
XADM: How to Remove a Message from Exchange by Using the ExMerge Utility -- articleID: Q260037
XADM: Some Questions and Answers About the ExMerge Utility -- articleID: Q265441
4. Outlook 2000 with the latest security update will not execute VBS attachments. Contact Microsoft for further information.
5. Norton AntiVirus for Microsoft Exchange (NAVMSE) can block attachments by extension when in VAPI mode. Make sure NAVMSE is at a current build. The following Symantec's Knowledge Base documents may be helpful:
How to delete email and its attachment with Norton AntiVirus for Microsoft Exchange
How to block email attachments based on the file name or extension of attached files
6. Norton AntiVirus for Email Gateways 2.0 installed, attachments with VBS extensions can be blocked. See the Administrator's Guide for details. The following Symantec Knowledge Base document may also be helpful:
How to block email based on the file name or extension of attached files
How to set up local routing for Norton AntiVirus for Gateways 2.1
How to block attachments by extension with Norton AntiVirus for Gateways
7. Norton AntiVirus for Firewalls 1.5 installed, attachments with VBS extensions can sometimes be blocked. See the Administrator's Guide for details. There are unknown environmental factors that prevent some installations from blocking VBS files. If it works at your site, it will work reliably. If VBS blocking does not work at your site, it will not work at all.

------------------
Death is lighter than a feather - duty heavier than a mountian.

February 28th, 2001, 12:06 PM

I had checked out Symantec's site. The Onthefly, is not in the registry. These are all Temp files. I couldn't find anything that mentioned temp files, that were related to this virus.
I did search for all vbs files. It only found the normal ones.
I deleted the entire temp directory and ran virus scan again. The temp files were back already.

I had a few other workstation here that were infected with the vbs virus. Norton fixed all of them with no problem...

Thanks!

------------------
Everywhere you go, there you are...

February 28th, 2001, 12:30 PM

I would hit Ctrl Alt Del and see if there is anything running that I don’t want besides Systray and Explorer. I have found "wscript " running after having this virus but only on 1/3 of the machines infected. if so select it and end task it.

I would check your startup and see if anything is loading in there. Start -Programs -Startup.

Also you can do Start - Run and type "msconfig"
Go to startup Tab and see what is loading in the registry. un check box to prevent from loading.

I have had to go into Windows\ temp and at times manually change the virus extensions by single clicking wait 2 sec then click again to rename and change extension to " .txt to delete. If you right click on file and select rename the virus would multiply.
After renaming file to virus.txt I was able to delete the files. Don’t forget to empty the Recycle Bin.

Sometimes Your Virus soft where is set to rename file when cure fails.
You may need to turn this off temporarily.
I use InoculateIT and it renames it with a ".avb extension but the virus still executes with that extension.
Change them to Example "x.txt" then delete.
Hope this helps and sorry for the ramble.

*Damned Angel* · February 28th, 2001, 12:57 PM

those temp files are actually the plugins the virus downloads for itself. Once you have the rest of the removal process complete, drop to dos (not dos window, shutdown restart in dos). You should then be able to remove the affecte files and folders. If possible, run your A/V software from dos, it will probably pickup the files and ask you to delete them.

------------------
If it aint broke......use a bigger hammer

February 28th, 2001, 08:55 AM	#1
jfesler Guest Posts: n/a	vbs.sst@mm I am having a problem with a system. Norton picked up viruses in the windows\temp directory. It says they are vbs.sst@mm I can delete them, but as soon as I do, it replaces them. I have also tried deleting the entire temp folder, as soon as windows rebuilds it, the virus comes back. Any ideas? ------------------ Everywhere you go, there you are...

February 28th, 2001, 09:50 AM	#2
cyberhh Registered User Join Date: Jul 2000 Location: Huntington Beach, CA, USA Posts: 1,515	What is the infected file and how good are your programming skills? If the infected file is a .VBS file then you are infected with a VBS virus (remember I Love You and Kornikova?) Do a search of your hard drive for .vbs - anything questionable - delete. Search for .htm, *.html - anything questionable delete. Check symantec's site do a search for that virus in the encyclopedia on thier site and read about how it operates. All else tried and it still comes back - copy the original file to a disk and print the file from a machine that has a clean install of Windows on it and has no data, nor is connected to any network drive shares. Print the file and look at what it does, then undo it. ------------------ Death is lighter than a feather - duty heavier than a mountian. __________________ Death is lighter than a feather - duty heavier than a mountian. The answer to your question is: 00110100 00110010

February 28th, 2001, 09:56 AM	#3
cyberhh Registered User Join Date: Jul 2000 Location: Huntington Beach, CA, USA Posts: 1,515	Okay, second Update: Your virus definitions should be 02/12/2001 or later - nothing else will catch this. vbs.sst@mm is the anna kornikova virus. VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. This worm arrives as an attachment named AnnaKournikova.jpg.vbs. When executed, the worm emails itself to everyone in your Microsoft Outlook address book. On January 26, the worm will attempt to direct your Web browser to an Internet address in The Netherlands, from where the worm appears to have originated. Also Known As: VBS.Lee-o, VBS.OnTheFly, VBS.Vbswg.gen, Anna Kournikova, VBS/VBSWG.J@mm When run, the worm creates the following registry key: HKEY_CURRENT_USER\Software\OnTheFly If the worm is run on January 26, it attempts to direct your Web browser to an Internet address in The Netherlands. Next, it checks to see if the mass-mailing routine has been executed. If not, the worm emails everyone in your Microsoft Outlook address book and sets the following key value equal to "1" (this is equivalent to true): HKEY_CURRENT_USER\Software\OnTheFly\mailed This prevents the mail routine from running again. The subject, body and attachment sent by the worm are as follows: Subject: Here you have, ;o) Message body: Hi: Check This! Attachment: AnnaKournikova.jpg.vbs The worm continues running, and if it is deleted, it attempts to recreate itself. Due to a bug in the code, the worm instead recreates itself as a zero-byte file. Removal instructions: Virus definitions dated February 12, 2001, or later will detect this worm. To remove VBS.SST@mm: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files. 3. If any files are detected as infected by VBS.SST@mm, click Delete 4. (Optional) Delete the following registry key: HKEY_CURRENT_USER\Software\OnTheFly Additional information: The following information is for network administrators of corporate versions of Norton AntiVirus. For corporate users, Symantec Technical Support recommends the following 1. Make sure virus definitions are most current. 2. Delete the email. Do not open the attachment. 3. Disable Windows Scripting to prevent VBS files, such as AnnaKournikova.JPEG.VBS, from executing. Filter attachments with a VBS extension. Microsoft Exchange 2000 in VAPI mode can strip attachments by extension. Contact Microsoft for further information. Microsoft Exchange Server also provides the ExMerge utility, which can be used to purge the Information Store of messages with a specified subject or attachment name. This can be very useful during a virus crisis. For more information, please see the following Microsoft Articles: XADM: How to Remove a Message from Exchange by Using the ExMerge Utility -- articleID: Q260037 XADM: Some Questions and Answers About the ExMerge Utility -- articleID: Q265441 4. Outlook 2000 with the latest security update will not execute VBS attachments. Contact Microsoft for further information. 5. Norton AntiVirus for Microsoft Exchange (NAVMSE) can block attachments by extension when in VAPI mode. Make sure NAVMSE is at a current build. The following Symantec's Knowledge Base documents may be helpful: How to delete email and its attachment with Norton AntiVirus for Microsoft Exchange How to block email attachments based on the file name or extension of attached files 6. Norton AntiVirus for Email Gateways 2.0 installed, attachments with VBS extensions can be blocked. See the Administrator's Guide for details. The following Symantec Knowledge Base document may also be helpful: How to block email based on the file name or extension of attached files How to set up local routing for Norton AntiVirus for Gateways 2.1 How to block attachments by extension with Norton AntiVirus for Gateways 7. Norton AntiVirus for Firewalls 1.5 installed, attachments with VBS extensions can sometimes be blocked. See the Administrator's Guide for details. There are unknown environmental factors that prevent some installations from blocking VBS files. If it works at your site, it will work reliably. If VBS blocking does not work at your site, it will not work at all. ------------------ Death is lighter than a feather - duty heavier than a mountian. __________________ Death is lighter than a feather - duty heavier than a mountian. The answer to your question is: 00110100 00110010

February 28th, 2001, 12:57 PM	#6
Damned Angel MegaMod Join Date: Aug 1999 Location: Winnipeg, MB Posts: 2,582	those temp files are actually the plugins the virus downloads for itself. Once you have the rest of the removal process complete, drop to dos (not dos window, shutdown restart in dos). You should then be able to remove the affecte files and folders. If possible, run your A/V software from dos, it will probably pickup the files and ask you to delete them. ------------------ If it aint broke......use a bigger hammer __________________ "we're all amateurs, it's just that some of us are more professional about it than others" ----George Carlin The above post is © Damned Angel 1999-Present

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

February 28th, 2001, 12:06 PM	#4
jfesler Guest Posts: n/a	I had checked out Symantec's site. The Onthefly, is not in the registry. These are all Temp files. I couldn't find anything that mentioned temp files, that were related to this virus. I did search for all vbs files. It only found the normal ones. I deleted the entire temp directory and ran virus scan again. The temp files were back already. I had a few other workstation here that were infected with the vbs virus. Norton fixed all of them with no problem... Thanks! ------------------ Everywhere you go, there you are...

February 28th, 2001, 12:30 PM	#5
BSOD Guest Posts: n/a	I would hit Ctrl Alt Del and see if there is anything running that I don’t want besides Systray and Explorer. I have found "wscript " running after having this virus but only on 1/3 of the machines infected. if so select it and end task it. I would check your startup and see if anything is loading in there. Start -Programs -Startup. Also you can do Start - Run and type "msconfig" Go to startup Tab and see what is loading in the registry. un check box to prevent from loading. I have had to go into Windows\ temp and at times manually change the virus extensions by single clicking wait 2 sec then click again to rename and change extension to " .txt to delete. If you right click on file and select rename the virus would multiply. After renaming file to virus.txt I was able to delete the files. Don’t forget to empty the Recycle Bin. Sometimes Your Virus soft where is set to rename file when cure fails. You may need to turn this off temporarily. I use InoculateIT and it renames it with a ".avb extension but the virus still executes with that extension. Change them to Example "x.txt" then delete. Hope this helps and sorry for the ramble.