Yeah I just got it too ..its a Windows based VBScript virus here's some info
on it from McAffe ( I prolly spelled that wrong) I also emailed him to tell
him so please don't saturate his mailbox guys. Peace
Darryl
P.S. Oh yeah..it wont work in Linux :)
Virus Name
VBS/Freelink
Date Updated
10/11/99
Virus Characteristics
This VB-Script worm distributes itself as an email attachment and attempts to
invoke two common IRC clients. The �To� field of the email is always empty and
the email subject always appears as:
Check this
The email body contains the attachment, normally �Links.vbs�, and the line
Have fun with these links.
Bye.
When the recipient opens (runs) this script attachment on a system, which
supports the Windows Scripting host ( installed by default in Windows98 and
Windows2000 ) the encrypted worm will drop two VBS script files on the system:
%Windows%\System\Rundll.vbs
%Windows%\Links.vbs
Then a message box will be displayed like:
DesktopFREE XXX LINKS.URL
This will add a shortcut to the XXX sites on your desktop.
Do you want to continue (Yes/No).
If Yes was answered a desktop shortcut symbol �FREE XXX LINKS� is created,
linking to an adult website. Afterwards (in both cases) the worm continues to
look for mapped drives to also copy \Links.vbs to their root directory.
Execution, thus possibly further spreading, here is only possible if another
user activates the script file manually. Now the main distribution method is
called:
If MS Outlook98 or MS Outlook2000 are running, the worm will search all
address entries in all Outlook address books ( Global, Personal, Contacts
etc.) to create a list of recipients, which will be BCC-ed (thus not visible
in the TO field) on the generated message containing the worm attachment.
The second file �Rundll.vbs� will be installed in the registry to run
automatically on Windows startup, using the particular key:
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Rundll
When RunDll.vbs is executed, the file Links.vbs will be re-encrypted
differently and the code searches for two installed IRC software clients by
searching the complete directories of C:\MIRC, C:\Pirch98 for the executables
Mirc32.exe and Pirch98.exe. Additionally the local system �Programs files�
folder of Windows is examined the same way. If one IRC installation is found,
the appropriate INI script is dropped on this location: Script.ini or
Events.ini. If the client software is able to support these script commands,
during the next IRC session the worm %Windows%\Links.vbs is send via DCC, when
a user joins a channel.
NOTE:
AVERT Recomends scanning for all files at the gateway. In addition, you should
review your current default extension and confirm .VBS is included for the
scan.
Indications Of Infection
Not Available...
Method Of Infection
Not Available...
Virus Information
Discovery Date: 7/6/99
Type: VBScript
Risk Assessment: Medium-On Watch
Minimum DAT: 4035 (With 4.0.25 Engine)
Variants
Unknown
Aliases
Freelink
David Huybregts wrote:
> It is off-topic, I know. But I just received a mail from this guy, with an
> attachment with a virus...
>
> And as far as I can see, it has been sent to all subscribers from
> Linux-newbie.
> It won't probably do much harm on an linux-box, though :-)
>
> Take care!
>
> David
