Re: Has anyone else seen/encountered the "VBS.Network" virus? I just did.

[Robert.Graham () NETWORKICE COM (Robert Graham)]

Network.vbs is a worm that copies itself through File and Print Sharing.

"Repair" removes the virus from the file. Remember: a virus attachs itself
to existing files; so repair undoes this. In your case, it isn't a virus but
a worm, so removing the virus would remove the file, which it cannot do.

"Quarantine" encrypts the file. The file still exists, but has been weakly
encrypted so that it is no longer a valid file. This means you can
un-quarantine at any time and you don't lose a file due to false positives.

I somebody could send me a copy of this file; I would really appreciate it.
I would love to run it and create a network-based intrusion detection
signature for our product.

Regards,
Robert Graham
CTO/Network ICE

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Olaf Black
Sent: Sunday, February 27, 2000 11:22 PM
To: INCIDENTS () securityfocus com
Subject: Has anyone else seen/encountered the "VBS.Network" virus? I
just did.

Hello all:

Norton Antivirus just popped up an alert indicating that it had found a
file:

C:\Windows\TEMP\tmpB214.TMP

That had been infected with the "VBS.Network" virus.

Norton first asked me if I wanted to repair the file.  Since this was the
"recommended" procedure from Norton, I went ahead and let NAV attempt to
repair the file.

NAV then came back and told me that the file could not be repaired, and that
the next "recommended" course of action would be to "quarantine" the file so
I went ahead and NAV came back and said that it successfully quarantined the
file.

With that, I have some questions.

What is the "VBS.Network" virus?  What does it do exactly?  What does
"quarantining" an infected file do?  Does it mean a file is moved off into a
"safe" directory and modified in some way?

Thanks,

Olaf