Virus Database

VBS.FreeLink

Description VBS.FreeLink

This is a worm written in Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels.
Being executed, the worm script creates a new script file "RUNDLL.VBS" in the Windows system folder, and modifies the system registry to execute this script upon every Windows start-up.
Then the worm displays the following message box:
This will add a shortcut to free XXX links on your desktop. Do you want
to continue?

If a user answers is "YES," the worm creates a shortcut on the desktop with URL to XXX site.
Then the worm enumerates all network drives on a computer, and copies infected script to the root directory of each network drive.
To spread via e-mail, the worm uses MS Outlook. The worm's spreading routine is very similar to a such routine in the "Melissa" virus, and works in the same way. The message with the infected worm script contains attached worm script (LINKS.VBS).
The message subject: Check this
The message body: Have fun with these links.

The "RUNDLL.VBS" script, when run creates, another script file "LINKS.VBS" in the Windows directory (LINKS.VBS is the same script as described above). Then it scans all fixed drives for folders "MIRC", "PIRCH98", "Program Files" (the folder where most Windows programs usually are installed) and also all their subfolders, and searches for the "MIRC32.EXE" or "PIRCH98.EXE" programs (popular IRC clients). If any of these programs are found, the worm creates a script file (SCRIPT.INI for MIRC or EVENTS.INI for PIRCH) that contains commands to send an infected "LINKS.VBS" to other IRC users when they join the same IRC channel to which an infected computer is connected.

Check other viruses! Be aware! Use Antiviral Software

DirFiller.1409

Description DirFiller.1409

It's dangerous memory resident parasitic stealth virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed or opened. Depending on its counter it encrypts the root directory of the C: drive.

DirII.1024.a

Description DirII.1024.a

This is a memory resident dangerous stealth virus. It infects COM and EXE files during read/write operations with the sectors which belongs to the directories, containing information about these files. The virus places its own bodies into the last cluster of the infected logical disk. It marks this cluster as the last in the file cluster chain. When the virus infects the file it replaces only the number of the first cluster of the file. The new number will point to the body of the virus. So the virus don't change the contents and the size of the infected file and besides there will be only one copy of the virus on the disk.
During initialization the virus penetrates into the DOS kernel, modifies the address of the system disks driver and hooks all DOS calls to this driver. This virus uses powerful stealth mechanism on the system driver level. That is why the virus is "invisible" during a read of infected files either with INT 21h or INT 25h. This virus uses direct access to DOS resources and overcomes practically all anti-virus "shields".
This virus spreads with great speed. If you try to load a file which can't be found on the disks, DOS will look for it in all PATH directories and the virus will infect all the files in these directories. During the first start this virus will infect all files in the current directory of C: drive.

Home