Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/FreeLinks

Overview

Threat Risk NONE NONE
Destructivity NONE NONE
Payload
Detection files published 05 Oct 1999 03:00:00
Description created 05 Oct 1999 03:00:00
Description updated 05 Oct 1999 03:00:00
Malware type WORM
Alias
Spreading mechanism EMAIL
IRC
NETWORK
Summary None

VBS/FreeLinks

Spreading

When a receipient opens the attachment on a computer which supports Windows Scripting (default in Windows 98 and Windows 2000 - optional in other 32 bits versions of Windows), he/she is infected.

This message will be displayed:



DesktopFREE XXX LINKS.URL
This will add a shortcut to the XXX sites on your desktop.
Do you want to continue (Yes/No). The worm will further create two VBS script files on the PC's hard drive.

If you answer Yes to the question above, the worm will search address entries in the address books of Outlook 98 and Outlook 2000 if either of these are running, and mail itself to the addressees. The mail is as a Blind Carbon Copy (bcc).

If there are shared network drives, the worm will copy the .vbs file to these drives, thus enabling itself to spread through the network. It will also make changes in Windows Registry to ensure that the malicious VBscript is started each time Windows is started.

Payload Details

n/a

Analysis

n/a

Removal

Delete the attachment from the e-mail Delete the file [windowsdir]\links.vbs Delete the file [windowsdir]\system\rundll.vbs Delete the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run\Rundll The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute.


Last Updated: 12 Nov 2015 11:06:15