_________________________________________________________________________

vbs/freelink the windows scripting host virus by humayun khan

(humayunmailbox@gmail.com)
_________________________________________________________________________

vbs/freelink is an encrypted vb script email worm that spreads itself by e-mail,

network drive sharing and irc client scripting abilities links.vbs file.this email
borne worm has been written in vbscript and needs the windows scripting host to
operate.(the windows scripting host or the wsh is installed only under win 98/2000
(unless windows ting host as been installed separately). hence this virus infects
only those systems on which the windows scripting host is installed.

******************
artificial intelligence truth: the windows scripting host or the wsh allows users
to write scripts to perform a collection of tasks easily.the wsh helps us to run
vbscript or javascript (also vba) scripts which are to windows what batch files
programs are to dos. to be able to write viruses which utilise or need the
prescence of the wsh, you need to know a lot in vbscript or javascript and be
proficient in vba.
the windows scripting host can be called the scripting engine of
windows.(different from the scripting engine of browser.
******************

propagation

the vbs/freelink virus too is a email borne virus.this means that it uses the
email mechanism to propagate itself (to spread itself) to various systems around
the world.

this virus or worm spreads as an e-mail with the subject: ' check this ' and the
body:
' have fun with this cool links '

subject: check this

body: have fun with this cool links

this email has a file named, ' links.vbs ' file which is the actual virus.this
attached virus is the encrypted vb script. unlike the bubbleboy, this virus needs
the user to execute the attached vb script and does not infect the victim's system
by simply viewing the email. when the attached virus(read worm) is executed, it
displays the following message on the screen in a dialog box:

"this will add a shortcut to free xxx links on your desktop. do you want to
continue ?".

before showing this message on the screen, the worm,drops an encrypted script file
in c:\windows\ system\rundll.vbs. after which, the vbs/freelink changes the
registry in such a way that "rundll.vbs" will be executed each time the system is
restarted. basically the following registry key is edited or added:

hkey_local_machine\software\microsoft\windows\currentversion\run
\rundll=rundll.vbs

anyway, if the user negates the dialog box, then nothing happens.but on the other
hand, if the user clicks on yes then the worm creates a .url file on the desktop
that contains a link to an adult x rated website, apparently ,
http://www.sublime.com.this internet shortcut is by the name "free xxx links".

then it searches all the mapped network shares and copies itself to the root of
each. the worm which arrives in the form of an attachment, links.vbs, uses what
most email viruses use , outlook express applications to mass-mail itself to each
recipient in the stored address book.

after you restart your machine, the worm drops "links.vbs" in the windows
directory. when the rundll.vbs file is started automatically, it checks to see if
the victim's system has mirc(mirc32.exe) or pirch (in "c:\pirch98) irc clients
installed and if any of these are, the virus creates a script.ini(if mirc is
found)or events.ini(if pirch is found) file which sends the virus to other users
on the same irc channel using the join channel event. it is the automatic
execution of this file which attempts to create and send the above e-mail message
to all entries in the user's outlook address book. once the email has been sent
then the worm erases all traces of it from the email client, by deleting itself
from the "sent mail" folder and by this unique bit of operation hides the mass
mailings from you.

most antiviruses like norton and mcafee detect this worm, but the less popular
ones like f-secure or panda antivirus do not scan .vbs files, so you need to
change the settings and enable scanning of .vbs files.but again, who needs an
antivirus, if we can remove it manually!!! before we get down to the actual manual
process of disinfection, one needs to keep in mind what changes did the vbs/links
worm make to your system.

infected filenames:
c:\windows\links.vbs
c:\windows\system\rundll.vbs
registry key: hkey_local_machine\software\microsoft\windows\currentversion\run
\rundll=rundll.vbs
the irc client's script file

so if we somehow restore the appended files and delete the new files, then we can
remove this worm.the process of disinfection, would be something like the
following:

1. launch regedit and goto to

hkey_local_machine\software\microsoft\windows\currentversion\run
2. delete the key rundll=rundll.vbs
3. delete the file c:\windows\links.vbs
4. delete the file c:\windows\system\rundll.vbs
5. close regedit
6. remove all copies of mirc and pirch
7. reboot
8. recheck for the files created by the trojan
9. reinstall your irc client

also do not forget the people in your microsoft outlook address book that you have
inadvertantly sent them this trojan. the aliases of this virus can be chalked out
to be the following

vbs/freelink, vbs.freelinks, vbs.freelink, freelink/vbs

humayun khan
humayunmailbox@gmail.com