Add to Technorati Favorites

VBS/FREElink The Windows Scripting Host Virus By Ankit Fadia ankit@bol.net.in
_________________________________________________________________________


VBS/Freelink is an encrypted VB Script email worm that spreads itself by e-
mail, network drive sharing and IRC client scripting abilities links.vbs
file.This email borne worm has been written in VBScript and needs the Windows
Scripting Host to operate.(The Windows Scripting Host or the WSH is installed
only under Win 98/2000 (unless Windows ting Host as been installed separately).
Hence this Virus infects only those systems on which the Windows Scripting Host
is installed.

******************
Artificial Intelligence Truth: The Windows Scripting Host or the WSH allows
users to write scripts to perform a collection of tasks easily.The WSH helps us
to run VbScript or JavaScript (Also VBA) scripts which are to Windows what Batch
Files Programs are to DOS. To be able to write viruses which utilise or need the
prescence of the WSH, you need to know a lot in VbScript or JavaScript and be
proficient in VBA.
The Windows Scripting Host can be called the scripting engine of
Windows.(Different from the scripting engine of Browser.
******************

Propagation

The VBS/Freelink virus too is a email borne virus.This means that it uses the
email mechanism to propagate itself (to spread itself) to various systems around
the world.

This virus or worm spreads as an e-mail with the subject: ' Check this ' and
the body:
' Have fun with this cool links '

SUBJECT: Check This
BODY: Have Fun with this cool links

This email has a file named, ' LINKS.VBS ' file which is the actual virus.This
attached virus is the encrypted VB Script. Unlike the BubbleBoy, this virus
needs the user to execute the attached VB Script and does not infect the
victim's system by simply viewing the email. When the attached virus(read worm)
is executed, it displays the following message on the screen in a dialog box:

"This will add a shortcut to free XXX links on your desktop. Do you want to
continue ?".

Before showing this message on the screen, the worm,drops an encrypted script
file in C:\Windows\ System\Rundll.vbs. After which, the VBS/Freelink changes the
registry in such a way that "Rundll.vbs" will be executed each time the system
is restarted. Basically the following Registry Key is edited or added:

Hkey_Local_Machine\software\microsoft\windows\currentversion\run
\rundll=rundll.vbs

Anyway, if the User negates the Dialog box, then nothing happens.But on the
other hand, if the User clicks on YES then the worm creates a .URL file on the
desktop that contains a link to an adult X rated website, apparently ,
http://www.sublime.com.This Internet shortcut is by the name "free xxx links".

Then it searches all the mapped network shares and copies itself to the root of
each. The worm which arrives in the form of an attachment, links.vbs, uses what
most email viruses use , Outlook Express applications to mass-mail itself to
each recipient in the stored address book.

After you restart your machine, the worm drops "links.vbs" in the Windows
directory. When the RUNDLL.VBS file is started automatically, it checks to see
if the victim's system has mIRC(mirc32.exe) or PIRCH (In "C:\Pirch98) IRC
clients installed and if any of these are, the virus creates a SCRIPT.INI(If
MIRC is found)or EVENTS.INI(If PIRCH is found) file which sends the virus to
other users on the same IRC channel using the JOIN channel event. It is the
automatic execution of this file which attempts to create and send the above e-
mail message to all entries in the user's Outlook address book. Once the email
has been sent then the worm erases all traces of it from the email client, by
deleting itself from the "Sent Mail" folder and by this unique bit of operation
hides the mass mailings from you.

Most Antiviruses like Norton and Mcafee detect this worm, but the less popular
ones like F-Secure or Panda Antivirus do not scan .VBS files, so you need to
change the settings and enable scanning of .VBS files.But again, who needs an
Antivirus, if we can remove it manually!!! Before we get down to the actual
manual process of disinfection, one needs to keep in mind what changes did the
VBS/Links worm make to your system.

Infected filenames:
c:\windows\links.vbs
c:\windows\system\rundll.vbs
Registry Key: Hkey_Local_Machine\software\microsoft\windows\currentversion\run
\rundll=rundll.vbs
The IRC Client's script file

So if we somehow restore the appended files and delete the new files, then we
can remove this worm.The process of disinfection, would be something like the
following:

1. Launch Regedit and goto to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
2. Delete the key rundll=rundll.vbs
3. Delete the file c:\windows\links.vbs
4. Delete the file c:\windows\system\rundll.vbs
5. Close regedit
6. Remove all copies of mIRC and pirch
7. Reboot
8. Recheck for the files created by the trojan
9. Reinstall your IRC client

Also do not forget the people in your Microsoft Outlook Address book that you
have inadvertantly sent them this trojan. The Aliases of this Virus can be
chalked out to be the following

Add to My AOL Add to Google Reader or Homepage Add to netomat Hub I heart FeedBurner Subscribe in NewsGator Online Subscribe in a reader

0 comments