Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

VBS.Network.B

VBS.Network.B

Discovered:
07 April 2000
Updated:
13 February 2007

This variant of VBS.Network places a password-stealing Trojan on the computer.



There are other things that you can do to protect your system from this type of Trojan Horse.

Additional precautions that you can take:
Some threats, such as this one, use the VBScript computer language to run. You can protect yourself from threats that use this language by enabling Script Blocking (Norton AntiVirus 2001/2002) or by disabling or uninstalling the Windows Scripting Host. Because the Windows Scripting Host is an optional part of Windows, it can be safely removed from your computer. (Some programs, however, do need this feature installed in order to function properly.)
  • If you are using Norton AntiVirus 2002, which includes Script Blocking, make sure that Script Blocking is enabled (the default).
  • If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available. Please run LiveUpdate to obtain this.
  • For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.
  • To disable the Windows Scripting Host in Microsoft Outlook Express only, see the Microsoft Knowledge Base document OLEXP: How to Disable Active Scripting in Outlook Express, Article ID: Q192846.


Configure Windows for maximum protection
Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection .

Antivirus Protection Dates

  • Initial Rapid Release version 07 April 2000
  • Latest Rapid Release version 08 August 2016 revision 023
  • Initial Daily Certified version 07 April 2000
  • Latest Daily Certified version 09 August 2016 revision 001
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

VBS.Network.B attempts to copy itself across a network by first locating shared network drives and then mapping them to a local drive letter. Once a Windows 95/98/NT drive is infected, the worm tries to copy itself to the StartUp folder of the drive to ensure execution at startup. The worm remains in memory until the system is restarted.

VBS.Network.B places the following two password-stealing Trojan files in the C:\Windows\System folder (Windows 95/98) or the C:\Windows\System32 folder (Windows NT):
  • Network.exe
  • Network.dll

It adds the following name and data values to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key:
  • Name value: Network Task
  • Data value: C:\WINDOWS\SYSTEM\network.exe

The Network.vbs file may be copied to one or more locations, including the root folder, \Windows, \Windows\System, and \Windows\Start Menu\Programs\StartUp.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

You need to remove the registry entry or entries made by the worm, and then remove two files. Please follow these steps:

WARNING: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or damaged files. Please make sure you modify only the keys specified. Please see the document, How to back up the Windows 95/98/NT registry , before proceeding.
  1. Click Start, and then click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Click the Edit menu, and then click Find.
  4. Type vbs.network in the find what box, and then click Find next.

    NOTE: If you have the Windows Scripting Host installed, it comes with the sample file, Network.vbs. This files is not infectious. It is commonly found in the C:\Windows\Samples\Wsh folder. It is not necessary to delete this file, but doing so will not harm the system. File names alone are not enough to determine if a file is clean or infectious.

    What you do if any instances of VBS.Network are found will depend on what key they are attached to. In at least one case, it was found attached to a payroll software program key. If you find this, and are not sure what to do, we suggest that you contact the program vendor that the key in question represents, or obtain the services of a qualified computer consultant.

    NOTES: If you find a reference to this file in the \Doc Find Spec MRU key, you may delete it or leave it. The MRU is a most recently used list, which is simply a list of programs that have been searched for recently, using the Find Files function of Windows Explorer.
  5. Select any files that are found, (with the exception of the Scripting Host sample file in the C:\Windows\Samples\Wsh folder), and then delete them.
  6. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  7. In the right pane, look for the following Name and Data, and if found, delete it:

    Network Tasks              C:\windows\system\network.exe
  8. Exit the registry editor.
  9. Click Start, point to Find, and then click Files or Folders.
  10. Type network.vbs in the Named box, and then click Find Now.
  11. Select any files that are found, and then delete them.
  12. Close the Find Files dialog box.
  13. Type network.exe in the Named box, and then click Find Now.
    • If the file is located in the \StartUp folder, and the file type is Shortcut, then delete it.
    • If the file is located in the C:\Windows\System folder (Windows 95/98) or the C:\Windows\System32 folder (Windows NT), then delete it. If you see a message that the file is in use, you will have to remove it in MS-DOS mode (Windows 95/98). Go on to the next step.
  14. Type network.dll in the Named box, and then click Find Now.
    • If the file is located in the C:\Windows\System folder (Windows 95/98) or the C:\Windows\System32 folder (Windows NT), then delete it.
    • If you see a message that the file is in use, you will have to remove it in MS-DOS mode (Windows 95/98).
  15. If you were able to delete both files mentioned in steps 13 and 14, you are finished. If not, go on to the next step.
  16. Exit all programs
  17. Restart the computer in MS-DOS Mode:
    • If you are using Windows 95:
      1. If the computer is on, close all programs, and, if possible, shut down Windows.
      2. Turn off the computer, and wait thirty seconds. You must turn off the power to clear memory.
      3. Restart the computer, and watch the screen. When you see "Starting Windows 95," press F8.
      4. Select "Safe Mode Command Prompt Only" from the startup menu, and then press Enter.
    • If you are using Windows 98:
      1. If the computer is on, close all programs, and, if possible, shut down Windows.
      2. Turn off the computer and wait thirty seconds. You must turn off the power to clear memory.
      3. Restart the computer and immediately press and hold down the Ctrl key until the Windows 98 startup menu appears.
      4. Select "Safe Mode Command Prompt Only" from the startup menu, and then press Enter.
  18. At the DOS prompt, which should appear similar to C:\> , type the following commands in the sequence shown. Press Enter after each one:

    NOTE: These instructions assume that the path to your Windows folder is C:\Windows. Substitute the path appropriate for your system.

    cd windows\system
    del network.exe
    del network.dll
  19. Shut off the power, wait at least 30 seconds, and then restart the computer.
  20. Start NAV and then run a full system scan.


Writeup By: Keith Smith