North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
OT: VBS.FREELINK and Anti-Virus Defaults was: Check This
-----BEGIN PGP SIGNED MESSAGE----- At 03:28 PM 3/9/00 -0500, Kai Schlichting wrote: > >Can someone with a lucky hand in Visual Basic actually tell us what >the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers >included, in case Shawn hasn't seen them yet) actually does. >Seems to cloak itself well, and my Norton AV is *not* detecting anything. 1. Norton reliably detects this (mine did). You need to either a) add .VBS to the scanned extensions, launch NAV, Options, Scanner, Program Files, Select, New and add "VB?" and "SHS" to the default extensions. Or b) NAV, Options, Scanner, All Files and set to scan all files, I recommend this. There was once a performance penalty to scan all files, but between CPU's and AV program optimization, the penalty is no longer noticeable under most circumstances. Changing the setting under scanner also effects the on-access protection, there's no need to search for both option. (W32 unfortunately does not obey extension-association the way many of us learned them in 16-bit Windows. If someone sends you the MELISSA.DOC file as an attachment labeled LAUGH.WAV and you double click it to listen, windows will open the file recognize the headers and open the file in MS Word without an error message and you'll be off and running with the Melissa virus.) 2. Here's the information you asked for about Freelink: from http://www.avp.ch/avpve/script/FREELINK.stm VBS.FreeLink This is a worm written in the Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels. Being executed the worm script creates a new script file "RUNDLL.VBS" in the Windows system folder and modifies the system registry to execute this script on every Windows startup. Then the worm displays message box: This will add a shortcut to free XXX links on your desktop. Do you want to continue? If the user's answer is YES the worm creates a shortcut on the desktop with the URL to an XXX site. Then the worm enumerates all network drives on the local computer and copies the infected script to the root directory of each network drive. To spread via e-mail the worm uses MS Outlook. The worm spreading routine is very closely related to a similar such routine in the "Melissa" virus, and works in the same way. The message contains the worm script (LINKS.VBS) as an attachment. The message subject: Check this The message body: Have fun with these links. The "RUNDLL.VBS" script when run creates another script file "LINKS.VBS" in the Windows directory (LINKS.VBS is the same script as described above). Then it scans all fixed drives for the folders "MIRC", "PIRCH98", "Program Files" (folder where usually installed most of Windows programs) and also all their subfolders and searches for the "MIRC32.EXE" or "PIRCH98.EXE" programs (popular IRC clients). If any of such program is found, the worm creates a script file (SCRIPT.INI for MIRC or EVENTS.INI for PIRCH) that contains commands to send infected "LINKS.VBS" to other IRC users when they join the same IRC channel to which the infected computer is connected. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 Comment: When did you backup your hard disk last? iQCVAwUBOMgeAvGfiIQsciJtAQGv2AQAkK/x/3D6CCWaM9X4DvAXi9tX5Wz8P1sO FLEX0yuXyDkWWgssAnf6O73On2apurCGVT7ssM8n/jqTBxdr9XLFn0NcZoS0nIcS kwAzJJSrg5axBfbO4BPpFRKgL/ymasmFWT93lMS2gN27ntWgeih2u+vPOthhClED 0WRB2zrB+Yo= =mqlq -----END PGP SIGNATURE----- -- Regards, David Kennedy CISSP Director of Research Services, ICSA.net http://www.icsa.net Protect what you connect. Look both ways before crossing the Net.