_________________________________________________________________________ VBS/FREElink The Windows Scripting Host Virus By Ankit Fadia ankit@bol.net.in _________________________________________________________________________ VBS/Freelink is an encrypted VB Script email worm that spreads itself by e-mail, network drive sharing and IRC client scripting abilities links.vbs file.This email borne worm has been written in VBScript and needs the Windows Scripting Host to operate.(The Windows Scripting Host or the WSH is installed only under Win 98/2000 (unless Windows ting Host as been installed separately). Hence this Virus infects only those systems on which the Windows Scripting Host is installed. ****************** Artificial Intelligence Truth: The Windows Scripting Host or the WSH allows users to write scripts to perform a collection of tasks easily.The WSH helps us to run VbScript or JavaScript (Also VBA) scripts which are to Windows what Batch Files Programs are to DOS. To be able to write viruses which utilise or need the prescence of the WSH, you need to know a lot in VbScript or JavaScript and be proficient in VBA. The Windows Scripting Host can be called the scripting engine of Windows.(Different from the scripting engine of Browser. ****************** Propagation The VBS/Freelink virus too is a email borne virus.This means that it uses the email mechanism to propagate itself (to spread itself) to various systems around the world. This virus or worm spreads as an e-mail with the subject: ' Check this ' and the body: ' Have fun with this cool links ' SUBJECT: Check This BODY: Have Fun with this cool links This email has a file named, ' LINKS.VBS ' file which is the actual virus.This attached virus is the encrypted VB Script. Unlike the BubbleBoy, this virus needs the user to execute the attached VB Script and does not infect the victim's system by simply viewing the email. When the attached virus(read worm) is executed, it displays the following message on the screen in a dialog box: "This will add a shortcut to free XXX links on your desktop. Do you want to continue ?". Before showing this message on the screen, the worm,drops an encrypted script file in C:\Windows\ System\Rundll.vbs. After which, the VBS/Freelink changes the registry in such a way that "Rundll.vbs" will be executed each time the system is restarted. Basically the following Registry Key is edited or added: Hkey_Local_Machine\software\microsoft\windows\currentversion\run \rundll=rundll.vbs Anyway, if the User negates the Dialog box, then nothing happens.But on the other hand, if the User clicks on YES then the worm creates a .URL file on the desktop that contains a link to an adult X rated website, apparently , http://www.sublime.com.This Internet shortcut is by the name "free xxx links". Then it searches all the mapped network shares and copies itself to the root of each. The worm which arrives in the form of an attachment, links.vbs, uses what most email viruses use , Outlook Express applications to mass-mail itself to each recipient in the stored address book. After you restart your machine, the worm drops "links.vbs" in the Windows directory. When the RUNDLL.VBS file is started automatically, it checks to see if the victim's system has mIRC(mirc32.exe) or PIRCH (In "C:\Pirch98) IRC clients installed and if any of these are, the virus creates a SCRIPT.INI(If MIRC is found)or EVENTS.INI(If PIRCH is found) file which sends the virus to other users on the same IRC channel using the JOIN channel event. It is the automatic execution of this file which attempts to create and send the above e-mail message to all entries in the user's Outlook address book. Once the email has been sent then the worm erases all traces of it from the email client, by deleting itself from the "Sent Mail" folder and by this unique bit of operation hides the mass mailings from you. Most Antiviruses like Norton and Mcafee detect this worm, but the less popular ones like F-Secure or Panda Antivirus do not scan .VBS files, so you need to change the settings and enable scanning of .VBS files.But again, who needs an Antivirus, if we can remove it manually!!! Before we get down to the actual manual process of disinfection, one needs to keep in mind what changes did the VBS/Links worm make to your system. Infected filenames: c:\windows\links.vbs c:\windows\system\rundll.vbs Registry Key: Hkey_Local_Machine\software\microsoft\windows\currentversion\run \rundll=rundll.vbs The IRC Client's script file So if we somehow restore the appended files and delete the new files, then we can remove this worm.The process of disinfection, would be something like the following: 1. Launch Regedit and goto to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 2. Delete the key rundll=rundll.vbs 3. Delete the file c:\windows\links.vbs 4. Delete the file c:\windows\system\rundll.vbs 5. Close regedit 6. Remove all copies of mIRC and pirch 7. Reboot 8. Recheck for the files created by the trojan 9. Reinstall your IRC client Also do not forget the people in your Microsoft Outlook Address book that you have inadvertantly sent them this trojan. The Aliases of this Virus can be chalked out to be the following VBS/Freelink, VBS.Freelinks, VBS.Freelink, Freelink/VBS Ankit Fadia ankit@bol.net.in For Manuals on Hacking, Cracking(Assembly), Viruses/Trojans, Perl, C++ and everything else you dreamt of visit the Hacking Truths site at: http://www.crosswinds.net/~hackingtruths To get the tutorials be email join my mailing list by sending an email to: programmingforhackers-subscribe@egroups.com