HP3000-L Archives

December 1999, Week 2

HP3000-L@RAVEN.UTC.EDU

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
"Stamps, Theron" <[log in to unmask]>
Reply To:
Stamps, Theron
Date:
Fri, 10 Dec 1999 12:49:15 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (51 lines)
Latest NAV definitions caught this.  Here is some info, and remedies if u
did launch the attachment.
VBS.Freelink is an encrypted worm that will work under Windows 98, Windows
2000 and all the other Windows supporting VB Scripting language. Once the
worm is launched, it will use MS Outlook to automatically send an email with
an attachment of itself. Similar to the Melissa virus, this worm uses MAPI
calls to get user profiles from MS Outlook. The contents of the email
generated by this worm are:
        Subject: Check this

        Have fun with these links. Bye.
When the attached file is executed, it will create the following two files:
        C:\WINDOWS\LINKS.VBS C:\WINDOWS\SYSTEM\RUNDLL.VBS
It will also create a file called LINKS.VBS in the root of all network
drives that are currently mapped. Next, the worm will modify the following
registry to execute every time the machine boots up:
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\Rundll=RUNDLL.VBS
After infecting a system, it will displays a dialog box title "Free XXX
links" with following content:
        This will add a shortcut to free XXX links on
        your desktop. Do you want to continue.
If the user selects yes, it will create a shortcut pointing to an adult web
site.
It also searches for MIRC32.EXE and PIRCH98.EXE chat programs in C:\MIRC ,
C:\PIRCH98, C:\PROGRAM FILES and the sub directories of each of these
directories. If it finds either of these programs, it will modify the
corresponding SCRIPT.INI file or EVENTS.INI located in the same directory.
These INI files will cause LINKS.VBS to be sent to other people during the
IRC sessions.


Theron J. Stamps
Systems Analyst
San Angelo Standard-Times
Voice:  915.659.8220
Pager:  1.800.788.0207
Text Pages:  www.skytel.com
Email:  [log in to unmask]
Emergency Email:  [log in to unmask]
(This will cause a pager notification to be sent)

> -----Original Message-----
> From: Thomas T. Evans, III [SMTP:[log in to unmask]]
> Sent: Friday, December 10, 1999 11:13 AM
> To:   [log in to unmask]
> Subject:      Check this
>
> Have fun with these links.
> Bye.

ATOM RSS1 RSS2