RE: Check this

From: Thiem, Robert <ThiemR@dont-contact.us>
Date: Tue, 15 Feb 2000 11:12:23 +1000

Just so you know what you may have received:

Source: http://www.cai.com/virusinfo/encyclopedia/VBS.htm

VBS.FreeLinks (Also known as FreeLinks and Link.VBS)
This worm can infect Win98, Win2000 and NT4 if the VBS extension has been
loaded. The worm creates a new Visual Basic Script file called 'RUNDLL.VBS'
in the 'System32' folder. The worm code is then inserted into these files
and the registry is altered so that the file will be run every time the
machine is rebooted. When the worm is loaded, it will display a message box
with the following text:
"Free XXX links"
"This will add a shortcut to free XXX links on your desktop. Do you want to
continue?"

If the user clicks "OK" the shortcut "FREE XXX LINKS.URL" will be placed on
the desktop. The worm also tries to create a file called 'LINKS.VBS' in the
root directory of all accessible network drives. The worm then generates a
new email message titled Check this, the content of the email message is the
text "Have fun with these links. Bye" and a copy of the worm. The worm then
adds all names from an MS OutLook address book to the BCC field and mails.
The worm cannot successfully propagate if you are using any other E-mail
client software. The worm attempts to modify some IRC clients so that it is
able to spread when a person starts an IRC session.

A flag can also be set by the Worm so that the E-mail message is deleted
after it has been sent. This attempts to remove the evidence that a person
has actually sent the worm to others. A basic form of encryption is also
used in an attempt to make it harder to detect and remove the worm.

> -----Original Message-----
> From: Bill Wichers [SMTP:billw@waveform.net]
> Sent: Tuesday, February 15, 2000 10:09 AM
> To: newman@n2h2.com
> Cc: squid-users@ircache.net
> Subject: Re: Check this
>
> That file was infected with a virus so watch out everyone.
>
> -Bill
>
> At 03:15 PM 2/14/00 -0800, you wrote:
> >Have fun with these links.
> >Bye.
>
> ***************************************************************
> * <*> Bill Wichers, kb8wyp, billw@waveform.net <*> *
> * **** Waveform Technology UNIX System Administrator *
> * * * *
> * * * packet: kb8wyp@n8nnn.#semi.mi.usa.noam *
> * * * http://www.waveform.net/bill/ *
> * **** *
> * "SONET, ATM, and Microwave... The solutions for Speed" *
> ***************************************************************
Received on Mon Feb 14 2000 - 18:21:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:51:13 MST