Virus Database

VBS.FreeLink

Description VBS.FreeLink

This is a worm written in Visual Basic Script language (VBS). This worm spreads via e-mail and IRC (Internet Relay Chat) channels.
Being executed, the worm script creates a new script file "RUNDLL.VBS" in the Windows system folder, and modifies the system registry to execute this script upon every Windows start-up.
Then the worm displays the following message box:
This will add a shortcut to free XXX links on your desktop. Do you want
to continue?

If a user answers is "YES," the worm creates a shortcut on the desktop with URL to XXX site.
Then the worm enumerates all network drives on a computer, and copies infected script to the root directory of each network drive.
To spread via e-mail, the worm uses MS Outlook. The worm's spreading routine is very similar to a such routine in the "Melissa" virus, and works in the same way. The message with the infected worm script contains attached worm script (LINKS.VBS).
The message subject: Check this
The message body: Have fun with these links.

The "RUNDLL.VBS" script, when run creates, another script file "LINKS.VBS" in the Windows directory (LINKS.VBS is the same script as described above). Then it scans all fixed drives for folders "MIRC", "PIRCH98", "Program Files" (the folder where most Windows programs usually are installed) and also all their subfolders, and searches for the "MIRC32.EXE" or "PIRCH98.EXE" programs (popular IRC clients). If any of these programs are found, the worm creates a script file (SCRIPT.INI for MIRC or EVENTS.INI for PIRCH) that contains commands to send an infected "LINKS.VBS" to other IRC users when they join the same IRC channel to which an infected computer is connected.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Olimpic

Description Macro.Word.Olimpic

This is an encrypted virus containing only one macro AutoOpen. It infects the global macros area on opening an infected document and writes itself to the noninfected documents that are opened.

Macro.Word.Onyx.a

Description Macro.Word.Onyx.a

This encrypted German-specific virus contains one macro with different names in different infected documents: DateiSpeichern, or DateiÖffnen, or DateiSchließen. As a result the virus replicates on saving, or opening, or closing documents. While infecting a document the virus changes its macro name to a new one and stores it in the system registry in HKEY_USERS.DefaultSoftwareOnyx.
On October 27 the virus halts Pentium-computers. The virus contains the comment:
(08.03.1998) / Loving thoughts to T.E.S.S.A!
This was done by Onyx / Germany 1998

Home