MicroWorld,
a Mumbai based software company into antivirus,
has warned about a new Melissa-like worm named VBS/Freelink.
This worm spreads by e-mailing a file called LINKS.VBS.
VBS/Freelink was originally found from Europe in July 1999 but then it did not became
common immediately since VBS/Freelink is
written using the VBScript language and programs written in VBScript operate only under
Windows 98 and Windows 2000 beta- both not so widely used.
But with the Microsoft's latest version of Internet Explorer (IE5) and its widespread
download and use, the virus found a medium since IE5 supports VBScript language. This worm
uses an encryption method similar to the VBS/Luser viruses, also known as Zulu.
How it goes around: The worm arrives to users in e-mail message
attachments named LINKS.VBS. When it is executed, it drops an encrypted script file
to "C:\Windows\System\Rundll.vbs". It then changes the registry in a such way
that "Rundll.vbs" is executed each time the system is restarted. The worm then
shows a message box with the following text:
:This will add a shortcut to free XXX links on your desktop.
Do you want to continue?"
and goes on to create a shortcut pointing to a porn web site. If the user presses the
"Yes" button, the worm creates an Internet shortcut named "FREE XXX
LINKS" to the desktop. The shortcut points to http://www.sublimedirectory.com web
site.
The worm uses Outlook application to mass-mail itself to each recipient in each address
book. The mass-mail part is similar to W97M/Melissa virus , but this virus doesn't infect
Word
documents and it sends itself each time when it is executed.
The subject of the email message reads:
Check this
and the body of the message is:
Have fun with these links.
Bye.
The worm attachs itself as "Links.vbs" to the message. When the receiver
double-clicks on the attachment, the worm executes and it will mass-mail itself again. It
also stays hidden from the user by removing the sent mail from user's "Sent
Mail" folder.
When the machine is restarted, the worm drops "Links.vbs" to the Windows
directory and also searches the "C:\MIRC" directory for "MIRC32.EXE" -
an internet relay chat client. If the file is found, the worm replaces the file
"SCRIPT.INI" with its own version. It does likewise with another client-
PIRCH-by replacing the file events.ini from the directory "c:\PIRCH98".
Now these two chat clients will also spread the worm when the user enters IRC chat
channels.
The latest antivirus update for this can be downloaded from
ftp://ftp.Europe.DataFellows.com/anti-virus/updates/fsupdate.exe
Another new Word-Macro virus known as WM/PolyPoster has been discovered by Data Fellows,
manufacturers of antivirus products like F-Prot & F-Secure.
The new virus uses advanced replication methods to spread within
Microsoft Word documents. Once a machine becomes infected by the virus, all Word documents
opened/ edited/ saved in it will become infected and the virus will spread to new
machines. Even the messages posted by the virus look realistic, as if from a real user of
the machine, complete with the user name and signature.
This virus has a temperamental style working and it activates at random. It also sends the
user's Word documents to usenet news public discussion groups- even company confidential
data or private letters and mails. The virus contains a list of newsgroups where posts the
messages, including popular adult discussion groups like
alt.hacker,alt.binaries.pictures.erotica, alt.fan.hanson, alt.windows95 and alt.skinheads.
Of course, the posted documents are infected by the virus, and users who view them in Word
will suffer the same fate.
It is here that traditional security methods like firewalls or Windows NT security
settings cannot prevent attacks like this since they arrive through normal e-mail document
attachments, and spread from the company's network with e-mail or standard usenet news
postings.
And if you thought Java was free from viruses, try this. There is a 4KB large 'Strange
_Brew' that infects Java programs and applets. Infected files have file have file sizes
divisible by 101 and contain the text 'Strange Brew_Virus'..
The virus is potent and can infect other Java programs when run in Sun's HotJava browser.
The virus, when executed infects all program that are open.
Some consolations though. The virus is not memory resident and thus does not infect files
opened after the virus is removed by by simply deleting the infected .class files. Since
Java programs are not as widespread on the Web as Java applets, Strange_Brew will not be
so widespread. And then Java's safety mechanism (Sandbox) holds the virus at bay. The
sandbox comprises a number of components like security
manager, language and JVM security measures that allows a user to download and execute
untrusted applets without undue risk and without applets disrupting or affecting any other
sandboxes
We are not finished with viruses. Watch this space.
|