The VBS/Netlog visual basic script resides in the Startup group of the Start Menu and is run at each reboot. The filename is NETWORK.VBS. The script also creates a log file, C:\NETWORK.LOG.
This worm generates a random IP subnet address and records it in the log file. The generated address contains only the first part of the usual IP address. The worm probes for each address in that subnet by stepping through the IP address numbers from 0 to 255. It attempts to map the remote C: drive to the local drive letter J: for each generated address.
If the mapping attempt is not successful, it repeats the process for the next address in sequence. When all addresses in the current subnet have been tried, it creates another random subnet address, enters it in the log file, and continues.
If the mapping is successful, the worm attempts to copy itself first to the root directory of the mapped drive, and then to the following directories, most of them targeting the Startup group so that it will run during Windows start-up:
j:\windows\startm~1\programs\startup\
j:\windows\
j:\windows\start menu\programs\startup\
j:\win95\start menu\programs\startup\
j:\win95\startm~1\programs\startup\
j:\wind95\
The worm will not work under Windows NT as these paths are valid only for Windows 95/98.