This is a worm written in Visual Basic Script language (VBS). This worm
spreads via e-mail and IRC (Internet Relay Chat) channels.
Being executed, the worm script creates a new script file “RUNDLL.VBS” in the
Windows system folder, and modifies the system registry to execute this script
upon every Windows start-up.
Then the worm displays the following message box:
This will add a shortcut to free XXX links on your desktop. Do you want
If a user answers is “YES,” the worm creates a shortcut on the desktop with URL to
Then the worm enumerates all network drives on a computer, and copies infected
script to the root directory of each network drive.
To spread via e-mail, the worm uses MS Outlook. The worm’s spreading
routine is very similar to a such routine in the “Melissa”
virus, and works in the same way. The message with the infected worm script
contains attached worm script (LINKS.VBS).
The message subject: Check this
The message body: Have fun with these links.
The “RUNDLL.VBS” script, when run creates, another script file “LINKS.VBS” in
the Windows directory (LINKS.VBS is the same script as described above). Then
it scans all fixed drives for folders “MIRC”, “PIRCH98”, “Program Files”
(the folder where most Windows programs usually are installed) and also all
their subfolders, and searches for the “MIRC32.EXE” or “PIRCH98.EXE”
programs (popular IRC clients). If any of these programs are found, the worm
creates a script file (SCRIPT.INI for MIRC or EVENTS.INI for PIRCH) that
contains commands to send an infected “LINKS.VBS” to other IRC users when they
join the same IRC channel to which an infected computer is connected.