MENU

Virus stuff
 

ICQ
 

Free stuff
 

BOOKS
.

Y2K
 

Search Engines
.

NAME:

 Freelinks
 
 

VBS/Freelinks is an e-mail worm written with the VBScript language. Programs
written with VBScript operate only under Windows 98 and Windows 2000
(unless Windows Scripting Host has been installed separately).

Freelinks has been found in the wild in Europe. (July 1999.)
This worm uses similar encryption method to the VBS/Luser
viruses (they are known also as Zulu).

When the worm is executed, it drops an encrypted script file to
 "C:\Windows\System\Rundll.vbs". After that VBS/Story changes
the registry in a such way that "Rundll.vbs" will be executed each

time when the system is restarted.

Next, the worm shows a dialog box with the following text:

  

This will add a shortcut to free XXX links on your desktop. Do you
want to continue?

If user presses the "Yes" button, the worm creates an Internet shortcut named
"FREE XXX LINKS" to the desktop. The shortcut points to
http://www.sublimedirectory.com web site.

The worm also searches for mapped network shares. If the worm finds any,
it copies itself to the root of the each network share.

The worm also uses Outlook application to mass-mail itself to each recipient in each
address book. The mass-mail part is similar to W97M/Melissa, but doesn't
infect Word documents and it sends itself each time when it is executed.

The subject of the message is:

  

    Check this

and the body of the message is:

  

    Have fun with these links.
    Bye.

The worm attachs itself as "Links.vbs" to the message. When the receiver double-clicks on
the attachment, the worm executes and it will mass-mail itself again.

VBS/Freelinks removes the sent mail from user's "Sent Mail" folder. THis is how it attempts to hide the mass mail from the user.

As address books normaly contain group addresses, the end result of executing the Freelinks virus inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message AGAIN to everyone else. This overloads e-mail servers many times very quickly.

After the machine has been restarted, the worm drops "Links.vbs" to the Windows directory.

The worm will also search for "C:\MIRC" directory for "MIRC32.EXE" IRC chat client. If the
executable is found, the worm creates "SCRIPT.INI" file, replacing the existing one. It also

searches for another IRC client from directory "c:\PIRCH98" and if it is found, the worm
replaces the "EVENTS.INI" from the same directory.

After that both IRC clients, mIRC and Pirch98, will automatically spread the worm when

the user enters IRC chat channels.

 

Text Link

Free JavaScripts provided
by The JavaScript Source