[ale] Followup: Confirmed Virus

Mike Smith masmith at bsat.com
Wed Sep 29 15:45:52 EDT 1999 

Once again, I am sorry about the accidental post from this vbscript virus(of
sorts) and the off topic comments below.  This will be my last post on this
subject and I apologize for my stupidity.

Here is the information on the VBS.Freelink virus from the Symantec site for
those who accidently clicked on the LINK.VBS file in Outlook.

 VBS.Freelink

Detected As: VBS.Freelink
Aliases: Freelink, VBS.Freelink
Area of Infection: \Windows and \Windows\System folder
Likelihood: Common
Detected On: July 2nd, 1999
Characteristics: Trojan Horse, Worm


Technical Notes:
VBS.Freelink is an encrypted worm that will work under Windows 98, Windows
2000 and all the other Windows supporting VB Scripting language. Once the
worm is launched, it will use MS Outlook to automatically send an email with
an attachment of itself. Similar to the Melissa virus, this worm uses MAPI
calls to get user profiles from MS Outlook. The subject of the email message
generated by this worm is:

"Check this"
and the body of the message is:

"Have fun with these links. Bye".

When the attached file is executed, it will create the following two files:

C:\WINDOWS\LINKS.VBS
C:\WINDOWS\SYSTEM\RUNDLL.VBS
It will also create a file called LINKS.VBS in the root of all network
drives that are currently mapped. Next, the worm will modify the following
registry to execute every time the machine boots up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\Rundll=RUNDLL.VBS
After infecting a system, it will displays a dialog box title "Free XXX
links" with following content:

"This will add a shortcut to free XXX links on your desktop.
Do you want to continue".

If the user selects yes, it will create a shortcut pointing to an adult web
site.

It also searches for MIRC32.EXE and PIRCH98.EXE chat programs in C:\MIRC ,
C:\PIRCH98, C:\PROGRAM FILES and the sub directories of each of these
directories. If it finds either of these programs, it will modify the
corresponding SCRIPT.INI file or EVENTS.INI located in the same directory.
These INI files will cause LINKS.VBS to be sent to other people during the
IRC sessions.

More information about the Ale mailing list