North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
OT: VBS.FREELINK and Anti-Virus Defaults was: Check This
- From: David Kennedy CISSP
- Date: Thu Mar 09 17:01:25 2000
-----BEGIN PGP SIGNED MESSAGE-----
At 03:28 PM 3/9/00 -0500, Kai Schlichting wrote:
>Can someone with a lucky hand in Visual Basic actually tell us what
>the trojan attachment we saw (LINKS2.VBS) we saw (full mail headers
>included, in case Shawn hasn't seen them yet) actually does.
>Seems to cloak itself well, and my Norton AV is *not* detecting
1. Norton reliably detects this (mine did). You need to either a)
add .VBS to the scanned extensions, launch NAV, Options, Scanner,
Program Files, Select, New and add "VB?" and "SHS" to the default
extensions. Or b) NAV, Options, Scanner, All Files and set to scan
all files, I recommend this. There was once a performance penalty to
scan all files, but between CPU's and AV program optimization, the
penalty is no longer noticeable under most circumstances. Changing
the setting under scanner also effects the on-access protection,
there's no need to search for both option.
(W32 unfortunately does not obey extension-association the way many of
us learned them in 16-bit Windows. If someone sends you the
MELISSA.DOC file as an attachment labeled LAUGH.WAV and you double
click it to listen, windows will open the file recognize the headers
and open the file in MS Word without an error message and you'll be
off and running with the Melissa virus.)
2. Here's the information you asked for about Freelink: from
This is a worm written in the Visual Basic Script language (VBS).
This worm spreads via e-mail
and IRC (Internet Relay Chat) channels.
Being executed the worm script creates a new script file "RUNDLL.VBS"
in the Windows
system folder and modifies the system registry to execute this script
on every Windows
Then the worm displays message box:
This will add a shortcut to free XXX links on your desktop. Do you
want to continue?
If the user's answer is YES the worm creates a shortcut on the
desktop with the URL to an XXX
Then the worm enumerates all network drives on the local computer and
copies the infected
script to the root directory of each network drive.
To spread via e-mail the worm uses MS Outlook. The worm spreading
routine is very closely
related to a similar such routine in the "Melissa" virus, and works
in the same way. The
message contains the worm script (LINKS.VBS) as an attachment.
The message subject: Check this
The message body: Have fun with these links.
The "RUNDLL.VBS" script when run creates another script file
"LINKS.VBS" in the Windows
directory (LINKS.VBS is the same script as described above). Then it
scans all fixed drives for
the folders "MIRC", "PIRCH98", "Program Files" (folder where usually
installed most of
Windows programs) and also all their subfolders and searches for the
"PIRCH98.EXE" programs (popular IRC clients). If any of such program
is found, the worm
creates a script file (SCRIPT.INI for MIRC or EVENTS.INI for PIRCH)
that contains commands
to send infected "LINKS.VBS" to other IRC users when they join the
same IRC channel to
which the infected computer is connected.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
Comment: When did you backup your hard disk last?
-----END PGP SIGNATURE-----
David Kennedy CISSP
Director of Research Services, ICSA.net http://www.icsa.net
Protect what you connect.
Look both ways before crossing the Net.