[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LINKS.VBS Virus Alert



PureBytes Links

Trading Reference Links

Information for list members.

-----Original Message-----
From: Elaine & Kevin [mailto:kevii@xxxxxxxxxxxxxx]
Sent: Friday, 25 February, 2000 11:29
To: njh@xxxxxxxxx
Cc: njhprovo@xxxxxxxxxxxx
Subject: RE: Check this VIRUS!


This message, which appears to have come from you, had the "links.vbs" worm
virus attached.  This is a genuine virus, similar to "Melissa".

Please take urgent steps to remove the infection so that you don't continue
to spread the virus.

See info from http://vil.mcafee.com/vil/vbs10225.asp below.

Regards
Kevin

-----Original Message-----
From: Neil Harrington [mailto:njhprovo@xxxxxxxxxxxx]
Sent: Friday, 25 February, 2000 07:23
To: njhprovo@xxxxxxxxxxxx
Subject: Check this


Have fun with these links.
Bye.

Virus Profile

Virus Name
VBS/Freelink

Date Added
7/7/99

Virus Characteristics
*Note - AVERT recommends scanning for all files at the Internet gateway or
email server. In addition, you should review your current default extension
and confirm .VBS is included for the scanning.*

This VB-Script worm distributes itself as an email attachment and attempts
to invoke two common IRC clients. The ‘To’ field of the email is always
empty and the email subject always appears as:

Check this

The email body contains the attachment, normally ‘Links.vbs’, and the line

Have fun with these links.
Bye.

When the recipient opens (runs) this script attachment on a system, which
supports the Windows Scripting host ( installed by default in Windows98 and
Windows2000 ) the encrypted worm will drop two VBS script files on the
system:

%Windows%\Links.vbs
%Windows%\System\Rundll.vbs

On Windows NT systems, the files are placed in the following folders:

C:\WINNT\links.vbs
C:\WINNT\SYSTEM32\rundll.vbs

Then a message box will be displayed like:

DesktopFREE XXX LINKS.URL
This will add a shortcut to the XXX sites on your desktop.
Do you want to continue (Yes/No).

If Yes was answered a desktop shortcut symbol ‘FREE XXX LINKS’ is created,
linking to an adult website. Afterwards (in both cases) the worm continues
to look for mapped drives to also copy \Links.vbs to their root directory.
Execution, thus possibly further spreading, here is only possible if another
user activates the script file manually. Now the main distribution method is
called:

If MS Outlook98 or MS Outlook2000 are running, the worm will search all
address entries in all Outlook address books ( Global, Personal, Contacts
etc.) to create a list of recipients, which will be BCC-ed (thus not visible
in the TO field) on the generated message containing the worm attachment.

The second file ‘Rundll.vbs’ will be installed in the registry to run
automatically on Windows startup, using the particular key:
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Rundll

When RunDll.vbs is executed, the file Links.vbs will be re-encrypted
differently and the code searches for two installed IRC software clients by
searching the complete directories of C:\MIRC, C:\Pirch98 for the
executables Mirc32.exe and Pirch98.exe. Additionally the local system
‘Programs files’ folder of Windows is examined the same way. If one IRC
installation is found, the appropriate INI script is dropped on this
location: Script.ini or Events.ini. If the client software is able to
support these script commands, during the next IRC session the worm
%Windows%\Links.vbs is send via DCC, when a user joins a channel.

Indications Of Infection
Existence of files "LINKS.VBS" and "RUNDLL.VBS" as mentioned above, mass
mailing to users of the file LINKS.VBS with the email formatted as mentioned
above, registry modifications to load the file "RUNDLL.VBS" as mentioned
above.


Method Of Infection
Running the file LINKS.VBS will install to the local machine as mentioned
above, if Windows Scripting Host is installed.

Removal Instructions
Use specified engine and DAT files for detection. Removal requires rebooting
to MS-DOS mode to first remove the file from Windows memory before deleting
the files detected as the trojan. Use the command line scanner to detect and
remove or delete manually. Remove references in WIN.INI and/or SYSTEM.INI
and/or registry where applicable for final clean-up measures.

Virus Information
  Discovery Date: 7/6/99
  Length: 12,268
  Type: Trojan
  SubType: MAPI
  Risk Assessment: Medium


Variants
Name Type Sub Type Differences
Unknown


Aliases
Freelink, LINKS.VBS, VBS/Freelinks.A

Related Viruses
Unknown

Related Downloads
None

Related Images
None

Minimum Dat
4035

Minimum Engine
4.0.25