FLASH: OFF TOPIC:Warning:VBS_FREELINK virus going around

[Brad Bechtel]

This message is provided for your information.  I've personally received several copies today from various sources.


Many mail users are currently experiencing exposure to the VBS_FREELINK virus.  If you receive a message with the title "Check This", do not open the attachment.  Remember that the email itself will not hurt you; the attachment is the problem.

=======

Here is some quick info on the virus (the VBS_FREELINK) that's being sent around as the attachment "Links.VBS" today:


http://www.trendmicro.com.au/vinfo/vbs_freelink.htm


VBS_FREELINK

An encrypted worm virus written in VBScript language, VBS_FREELINK is a Melissa like virus, that infects Windows 95/98/2000. It spreads by sending a copy of itself through MS Outlook, MIRC, PIRCH and mapped network directories. This worm, originally discovered in June 1999, has recently been detected in the wild, spreading quickly at several customer sites.


_____________

VBS_FREELINK 

Rating: VAC-1

(Viruses that can spread very quickly, with the potential to spread throughout the world within one week.)

An encrypted worm virus written in VBScript language, VBS_FREELINK is a Melissa- like virus, that infects Windows 95/98/2000. It spreads by sending a copy of itself through MS Outlook, MIRC, PIRCH and mapped network directories. This worm, originally discovered in June 1999, has recently been detected in the wild, spreading quickly at several customer sites.

The worm creates the subject heading:


Check this


with the following text in the body of the message:


Have fun with these links

Bye.


The email will also contain an attachment "links.vbs." To protect against this worm, Trend SMEX and ISVW customers with the eManager plug-in can filter out all email with the subject line "Check this" and all customers are also advised to not execute the file "links.vbs."

Upon execution, this worm creates a file named RUNDLL.VBS in the Windows/System director, and adds a registry entry:


HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Run\Rundll=Rundll.vbs


Then the worm sends a copy of itself (links.vbs) to all mapped network drives, and uses MS Outlook to send an email with itself as a file attachment. Since a registry entry is added to the Windows registry upon execution, every time Windows is launched RUNDLL.VBS will be executed.

After infecting a system, it will displays a dialog box title "Free XXX links" with the following content:


This will add a shortcut to free XXX links on your desktop. Do you want to continue.


If the user selects "yes", it will create a shortcut pointing to an adult web site.

The worm then searches for MIRC32.EXE and PIRCH98.EXE chat programs in C:\MIRC, C:\PIRCH98, C:\PROGRAM FILES and the sub directories of each of these directories. If the worm finds either of these programs, it will modify the corresponding SCRIPT.INI file or EVENTS.INI located in the same directory. This will cause links.vbs to be send to other users during IRC sessions.

Trend Micro pattern file 594 and higher detects this worm. All Trend customers should use the pattern update feature in their Trend products to update their virus protection. The latest pattern file is also available for manual download.


flasher is generously supported by... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Streaming Media WEST '99 Conference & Exhibition "The Worlds largest Internet Audio & Video Event" December 7 - 9, San Jose Convention Center, California

Reserve your space today at http://www.streamingmedia.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To unsubscribe or change your list settings go to http://www.chinwag.com/flasher or email

helpchinwag [dot] com