Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

VBS/Freelink

VBS/Freelink is a script worm written in Visual Basic Script.  It spreads using Microsoft Outlook and by means of IRC MIRC and PIRCH.  The worm arrives on computer as a email file attachment with subject "Check this".  If the file in the attachment is executed the worm gets activated and offers  to create an icon on the desktop.  The icon is supposed to lead to pages with contents “for adults only”.  After clicking on the button with the text "Yes" the promised icon is really created on the desktop but the worm performs also other activity, hidden from the user.  It creates the file C:\Windows\System\Rundll.vbs and by means of manipulating the system registry it ensures activation of the file at every start of the system – it creates the key in HKLM\software\microsoft\windows\currentversion\run.  The script in the file Rundll.vbs is encrypted; after being activated in the root directory of each network disk it copies another script.  Into directories with ICR client MIRC, it copies the file SCRIPT.INI, into the directory with IRC client PIRCH it inserts the file EVENTS.INI.  The goal of these scripts is to spread the worm to users of the same channel on IRC on which the infected computer is registered.  The method of spreading is somewhat similiar to the one used in  W97M/Melissa with the difference that Word documents are not attacked and the worm is sent out at each system start up.  VBS/Freelink conceals this massive using of email simply by deleting the sent messages from the sent messages folder.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.