Virus Information

Paul E. Prusakowski

Description

Title:

Virus Information

Creator:

Paul E. Prusakowski

Date:

11/30/1999

Text:

Here is the technical info on the latest Virus from the www.norton.com
website.
The virus will not destroy your system, but will replicate itself and send
copies to everyone on your mail list, as well as create a link to an XXX
site
on your desktop. It is a good idea to have an anti virus software package
installed on your system. You can download a free, fully functional,
evaluation
package from www.norton.com.

Paul Prusakowski, CPO



VBS.Freelink

Aliases: Freelink, VBS.Freelink
Area of Infection: \Windows and \Windows\System folder
Likelihood: Common
Detected on: July 2, 1999
Characteristics: Trojan Horse, Worm



Description

VBS.Freelink is a virus discovered in July 1999. Symantec AntiVirus Research
Center has recently been receiving an increase in VBS.Freelink virus reports
from our customers. To protect yourself from this virus, all Norton
AntiVirus customers should ensure their virus definitions are up to date by
using the LiveUpdate feature. In order to detect the VBS.Freelink virus, it
is necessary to scan files with the VBS filename extension. It is
recommended to use the options in NAV to scan All files rather than using
the Program Files option. Please note that this may cause performance
issues depending on the software, hardware and configurations you are using.
Newer versions of Norton AntiVirus are shipped with scan All files as
default configurations. If you choose only to scan Program Files, please
make sure that the configurations in Norton AntiVirus includes the VBS
file extension as well as the following file extensions in the Scanner and
AutoProtect options.

Recommended Extension List as of Oct 5, 1999:

386, ADT, BIN, CBT, CLA, COM, CPL, CSC, DLL, DOC, DOT, DRV, EXE, HTM, HTT,
JS, MDB, MSO, OV?, POT, PPT, RTF, SCR, SHS, SYS, VBS, XL?

Technical Notes

VBS.Freelink is an encrypted worm that will work under Windows 98, Windows
2000 and all the other Windows supporting VB Scripting language. Once the
worm is launched, it will use MS Outlook to automatically send an email with
an attachment of itself. Similar to the Melissa virus, this worm uses MAPI
calls to get user profiles from MS Outlook. The contents of the email
generated by this worm are:

Subject: Check this

Have fun with these links. Bye.

When the attached file is executed, it will create the following two files:

C:\WINDOWS\LINKS.VBS C:\WINDOWS\SYSTEM\RUNDLL.VBS
It will also create a file called LINKS.VBS in the root of all network
drives that are currently mapped. Next, the worm will modify the following
registry to execute every time the machine boots up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\Rundll=RUNDLL.VBS
After infecting a system, it will displays a dialog box title Free XXX
links with following content:

This will add a shortcut to free XXX links on
your desktop. Do you want to continue.

If the user selects yes, it will create a shortcut pointing to an adult web
site.

It also searches for MIRC32.EXE and PIRCH98.EXE chat programs in C:\MIRC ,
C:\PIRCH98, C:\PROGRAM FILES and the sub directories of each of these
directories. If it finds either of these programs, it will modify the
corresponding SCRIPT.INI file or EVENTS.INI located in the same directory.
These INI files will cause LINKS.VBS to be sent to other people during the
IRC sessions.

                          

Citation

Paul E. Prusakowski, “Virus Information,” Digital Resource Foundation for Orthotics and Prosthetics, accessed November 26, 2024, https://library.drfop.org/items/show/212519.