MicroWorld, a Mumbai based software company into antivirus,  has warned about a new Melissa-like worm named VBS/Freelink.
This worm spreads by e-mailing a file called LINKS.VBS.

VBS/Freelink was originally found from Europe in July 1999 but then it did not became common immediately since VBS/Freelink is
written using the VBScript language and programs written in VBScript operate only under Windows 98 and Windows 2000 beta- both not so widely used.

But with the Microsoft's latest version of Internet Explorer (IE5) and its widespread download and use, the virus found a medium since IE5 supports VBScript language. This worm uses an encryption method similar to the VBS/Luser viruses, also known as Zulu.

How it goes around: The worm arrives to users in e-mail message attachments named LINKS.VBS. When it is executed,  it drops an encrypted script file to "C:\Windows\System\Rundll.vbs". It then changes the registry in a such way that "Rundll.vbs" is executed each time the system is restarted. The worm then shows a message box with the following text:

:This will add a shortcut to free XXX links on your desktop.
Do you want to continue?"

and goes on to create a shortcut pointing to a porn web site. If the user presses the "Yes" button, the worm creates an Internet shortcut named "FREE XXX LINKS" to the desktop. The shortcut points to http://www.sublimedirectory.com web site.

The worm uses Outlook application to mass-mail itself to each recipient in each address book. The mass-mail part is similar to W97M/Melissa virus , but this virus doesn't infect Word
documents and it sends itself each time when it is executed.

The subject of the email message reads:

Check this

and the body of the message is:

Have fun with these links.
Bye.

The worm attachs itself as "Links.vbs" to the message. When the receiver double-clicks on the attachment, the worm executes and it will mass-mail itself again. It also stays hidden from the user by removing the sent mail from user's "Sent Mail" folder.

When the machine is restarted, the worm drops "Links.vbs" to the Windows directory and also searches the "C:\MIRC" directory for "MIRC32.EXE" - an internet relay chat client. If the file is found, the worm replaces the file "SCRIPT.INI" with its own version. It does likewise with another client- PIRCH-by replacing the file events.ini from the directory "c:\PIRCH98". Now these two chat clients will also spread the worm when the user enters IRC chat channels.


The latest antivirus update for this can be downloaded from
ftp://ftp.Europe.DataFellows.com/anti-virus/updates/fsupdate.exe

Another new Word-Macro virus known as WM/PolyPoster has been discovered by Data Fellows, manufacturers of antivirus products like F-Prot & F-Secure.

The new virus uses advanced replication methods to spread within
Microsoft Word documents. Once a machine becomes infected by the virus, all Word documents opened/ edited/ saved in it will become infected and the virus will spread to new machines. Even the messages posted by the virus look realistic, as if from a real user of the machine, complete with the user name and signature.

This virus has a temperamental style working and it activates at random. It also sends the user's Word documents to usenet news public discussion groups- even company confidential data or private letters and mails. The virus contains a list of newsgroups where posts the messages, including popular adult discussion groups like alt.hacker,alt.binaries.pictures.erotica, alt.fan.hanson, alt.windows95 and alt.skinheads. Of course, the posted documents are infected by the virus, and users who view them in Word will suffer the same fate.

It is here that traditional security methods like firewalls or Windows NT security settings cannot prevent attacks like this since they arrive through normal e-mail document attachments, and spread from the company's network with e-mail or standard usenet news postings.

And if you thought Java was free from viruses, try this. There is a 4KB large 'Strange _Brew' that infects Java programs and applets. Infected files have file have file sizes divisible by 101 and contain the text 'Strange Brew_Virus'..

The virus is potent and can infect other Java programs when run in Sun's HotJava browser. The virus, when executed infects all program that are open.

Some consolations though. The virus is not memory resident and thus does not infect files opened after the virus is removed by by simply deleting the infected .class files. Since Java programs are not as widespread on the Web as Java applets, Strange_Brew will not be so widespread. And then Java's safety mechanism (Sandbox) holds the virus at bay. The sandbox comprises a number of components like security manager, language and JVM security measures that allows a user to download and execute untrusted applets without undue risk and without applets disrupting or affecting any other sandboxes

We are not finished with viruses. Watch this space.