First published: 09th October 1999
New Melissa-like worm found in several countries during the past weekHong Kong, October 9, 1999 - Yui Kee, a leading distributor of centrally-managed, widely distributed security solutions, today warns about a new Melissa-like worm, VBS/Freelink. This worm spreads by e-mailing a file called LINKS.VBS around.
VBS/Freelink is written in the VBScript language. By default, programs written in VBScript operate only under Windows 98 and Windows 2000 beta (unless Windows Scripting Host has been installed separately).
However, Microsoft Internet Explorer 5 installs Windows Scripting Host (WSH) also to Windows 95 and Windows NT 4.0 machines by default, making them vulnerable to this worm.
VBS/Freelink was originally found from Europe in July 1999. However, it did not became common at that time, as it only operated under Windows 98 and beta versions of Windows 2000. Now that Microsoft Internet Explorer 5 has been released, more and more Windows 95 and NT users are vulnerable to this worm. Estimates on the current market share of Internet Explorer 5 range between 10% and 20%.
The worm arrives to users in e-mail message attachments named LINKS.VBS. When it
is executed, the worm shows a message box with the following text:
This will add a shortcut to free XXX links on your desktop. Do you want to continue? |
Whether the user clicks 'yes' or 'no', the program creates an Internet shortcut named "FREE XXX LINKS" to the desktop. This shortcut points to a porn web site.
After this, the worm searches for mapped network shares on the local network. If the worm finds any network drives, it copies itself to the root of them.
The worm uses Outlook application to mass-mail itself to each recipient in each address book. The mass-mail portion is similar to the infamous Melissa virus.
The subject of the messages sent by the virus is:
Check this
and the body of the message is:
Have fun with these links. Bye.
The worm attaches itself as "Links.vbs" to the message. When the receiver double-clicks on the attachment, the worm executes and will mass-mail itself again.
VBS/Freelink removes the sent mail from the user's "Sent Mail" folder. In this way it tries to hide the mass mailings from the user.
As address books typically contain group addresses, the end result of executing the VBS/Freelink worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers.
A technical description of the virus is available in the Data Fellows virus description
database at:
http://www.f-secure.com/v-descs/freelink.shtml
Sample pictures of e-mail messages generated by VBS/Freelink are available in the Data
Fellows virus screenshots center at:
http://www.f-secure.com/virus-info/v-pics/