North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

OT: VBS.FREELINK and Anti-Virus Defaults was: Check This

  • From: David Kennedy CISSP
  • Date: Thu Mar 09 17:01:25 2000


At 03:28 PM 3/9/00 -0500, Kai Schlichting wrote:
>Can someone with a lucky hand in Visual Basic actually tell us what
>the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers
>included, in case Shawn hasn't seen them yet) actually does.
>Seems to cloak itself well, and my Norton AV is *not* detecting

1.  Norton reliably detects this (mine did).  You need to either a)
add .VBS to the scanned extensions, launch NAV, Options, Scanner,
Program Files, Select, New and add "VB?" and "SHS" to the default
extensions.  Or b) NAV, Options, Scanner, All Files and set to scan
all files, I recommend this.  There was once a performance penalty to
scan all files, but between CPU's and AV program optimization, the
penalty is no longer noticeable under most circumstances.  Changing
the setting under scanner also effects the on-access protection,
there's no need to search for both option.  

(W32 unfortunately does not obey extension-association the way many of
us learned them in 16-bit Windows.  If someone sends you the
MELISSA.DOC file as an attachment labeled LAUGH.WAV and you double
click it to listen, windows will open the file recognize the headers
and open the file in MS Word without an error message and you'll be
off and running with the Melissa virus.)

2.  Here's the information you asked for about Freelink:  from


 This is a worm written in the Visual Basic Script language (VBS).
This worm spreads via e-mail
 and IRC (Internet Relay Chat) channels. 

 Being executed the worm script creates a new script file "RUNDLL.VBS"
in the Windows
 system folder and modifies the system registry to execute this script
on every Windows

 Then the worm displays message box: 

 This will add a shortcut to free XXX links on your desktop. Do you
want to continue? 

 If the user's answer is YES the worm creates a shortcut on the
desktop with the URL to an XXX

 Then the worm enumerates all network drives on the local computer and
copies the infected
 script to the root directory of each network drive. 

 To spread via e-mail the worm uses MS Outlook. The worm spreading
routine is very closely
 related to a similar such routine in the "Melissa" virus, and works
in the same way. The
 message contains the worm script (LINKS.VBS) as an attachment. 

  The message subject: Check this
  The message body:    Have fun with these links.

 The "RUNDLL.VBS" script when run creates another script file
"LINKS.VBS" in the Windows
 directory (LINKS.VBS is the same script as described above). Then it
scans all fixed drives for
 the folders "MIRC", "PIRCH98", "Program Files" (folder where usually
installed most of
 Windows programs) and also all their subfolders and searches for the
"MIRC32.EXE" or
 "PIRCH98.EXE" programs (popular IRC clients). If any of such program
is found, the worm
 creates a script file (SCRIPT.INI for MIRC or EVENTS.INI for PIRCH)
that contains commands
 to send infected "LINKS.VBS" to other IRC users when they join the
same IRC channel to
 which the infected computer is connected. 
Version: PGP Personal Privacy 6.0.2
Comment: When did you backup your hard disk last?



David Kennedy CISSP
Director of Research Services,
Protect what you connect.
Look both ways before crossing the Net.