RE: Check this

[Ben Robb <Ben at cscape dot com>]

FURTHER INFO:

Virus name: VBS.Freelink

Name
VBS/Freelink 

Aliases
Freelink, LINKS.VBS, VBS/Freelinks.A 

Variants
None 

Date Added
7/7/99 

Information
  Discovery Date: 7/6/99 
  Length: 12,268 
  Type: Trojan 
  SubType: MAPI 
  Risk Assessment: Medium 
  Minimum DAT: 4035 
  Minimum Engine: 4.0.25 


Characteristics
*Note - AVERT recommends scanning for all files at the Internet gateway or
email server. In addition, you should review your current default extension
and confirm .VBS is included for the scanning.*

This VB-Script worm distributes itself as an email attachment and attempts
to invoke two common IRC clients. The 'To' field of the email is always
empty and the email subject always appears as: 

Check this 

The email body contains the attachment, normally 'Links.vbs', and the line 

Have fun with these links.
Bye. 

When the recipient opens (runs) this script attachment on a system, which
supports the Windows Scripting host ( installed by default in Windows98 and
Windows2000 ) the encrypted worm will drop two VBS script files on the
system:

%Windows%\Links.vbs 
%Windows%\System\Rundll.vbs

On Windows NT systems, the files are placed in the following folders:

C:\WINNT\links.vbs
C:\WINNT\SYSTEM32\rundll.vbs

Then a message box will be displayed like: 

DesktopFREE XXX LINKS.URL 
This will add a shortcut to the XXX sites on your desktop. 
Do you want to continue (Yes/No). 

If Yes was answered a desktop shortcut symbol 'FREE XXX LINKS' is created,
linking to an adult website. Afterwards (in both cases) the worm continues
to look for mapped drives to also copy \Links.vbs to their root directory.
Execution, thus possibly further spreading, here is only possible if another
user activates the script file manually. Now the main distribution method is
called: 

If MS Outlook98 or MS Outlook2000 are running, the worm will search all
address entries in all Outlook address books ( Global, Personal, Contacts
etc.) to create a list of recipients, which will be BCC-ed (thus not visible
in the TO field) on the generated message containing the worm attachment. 

The second file 'Rundll.vbs' will be installed in the registry to run
automatically on Windows startup, using the particular key:
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Rundll 

When RunDll.vbs is executed, the file Links.vbs will be re-encrypted
differently and the code searches for two installed IRC software clients by
searching the complete directories of C:\MIRC, C:\Pirch98 for the
executables Mirc32.exe and Pirch98.exe. Additionally the local system
'Programs files' folder of Windows is examined the same way. If one IRC
installation is found, the appropriate INI script is dropped on this
location: Script.ini or Events.ini. If the client software is able to
support these script commands, during the next IRC session the worm
%Windows%\Links.vbs is send via DCC, when a user joins a channel.


Symptoms
Existence of files "LINKS.VBS" and "RUNDLL.VBS" as mentioned above, mass
mailing to users of the file LINKS.VBS with the email formatted as mentioned
above, registry modifications to load the file "RUNDLL.VBS" as mentioned
above.


Method Of Infection
Running the file LINKS.VBS will install to the local machine as mentioned
above, if Windows Scripting Host is installed.


Removal Instructions
Use specified engine and DAT files for detection. Removal requires rebooting
to MS-DOS mode to first remove the file from Windows memory before deleting
the files detected as the trojan. Use the command line scanner to detect and
remove or delete manually. Remove references in WIN.INI and/or SYSTEM.INI
and/or registry where applicable for final clean-up measures.


> -----Original Message-----
> From: Mahesh Nathan [mailto:Mahesh.Nathan@postx.com]
> Sent: 18 February 2000 17:55
> Subject: Check this
> 
> 
> Have fun with these links.
> Bye.
> 
> 


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list