The malware targets Windows computers, and arrives in an email bearing the subject "Re" and an attachment that will have an .asp, .hta, .htm, .htt, .html, .vbe or .vbs extension. Upon infection, the virus uses Microsoft Outlook to send itself to everyone in the Microsoft Outlook Address Book. "If the day is the 6th, 13th, 21st, or 28th, the worm will delete all the files from the computer," Symantec reports. Despite its nasty payload, SANS notes that VBS.Pub "doesn't possess any earth-shattering characteristics to make it a significant propagation threat."
In recent years, malware writers have found it more useful to control machines than destroy them, using a compromised computer's Internet connection to deliver spam or mount denial of service attacks. Disabling the host machine also impedes the spread of the virus.
VBS.Pub solves that problem with a time-release payload that mimics the CIH/Chernobyl virus, one of the Net's most destructive viruses. Chernobyl began circulating in 1998, and featured a payload that was triggered on April 26, 1999, the anniversary of the Chernobyl nuclear accident, and in some versions was reactivated on the 26th of every month. CIH overwrote data on an infected machine's hard drive, leaving most unusable.