This is the message our network guy sent out when this virus went around our system. I hope this helps. ************************************************************************* READ BELOW.... If you opened the "Check this out" virus you will need to delete the two files and then run REGEDIT and remove a registry entry. Select START the RUN. Type REGEDIT and hit return. Click on the + sign to expand the tree and follow it down the list HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. When you reach the run folder go to the window on the right hand side and delete the entry Rundll=RUNDLL.VBS VBS.Freelink is an encrypted worm that will work under Windows 98, Windows 2000 and all the other Windows supporting VB Scripting language. Once the worm is launched, it will use MS Outlook to automatically send an email with an attachment of itself. Similar to the Melissa virus <http://www.symantec.com/region/uk/avcenter/venc/mailissa.html>, this worm uses MAPI calls to get user profiles from MS Outlook. The subject of the email message generated by this worm is: "Check this" and the body of the message is: "Have fun with these links. Bye". When the attached file is executed, it will create the following two files: C:\WINDOWS\LINKS.VBS C:\WINDOWS\SYSTEM\RUNDLL.VBS It will also create a file called LINKS.VBS in the root of all network drives that are currently mapped. Next, the worm will modify the following registry to execute every time the machine boots up: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\Rundll=RUNDLL.VBS After infecting a system, it will displays a dialog box title "Free XXX links" with following content: "This will add a shortcut to free XXX links on your desktop. Do you want to continue". If the user selects yes, it will create a shortcut pointing to an adult web site. ************************************************************************* -----Original Message----- From: kevin carothers [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 30, 1999 1:10 PM To: [EMAIL PROTECTED] Subject: Re: "check this" virus Okay, I opened it... NOW what do I do? kevin carothers [EMAIL PROTECTED] =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". FAQs on JSP can be found at: http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.html =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". FAQs on JSP can be found at: http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.html
