SARC Home Page

  AntiVirus Research Center

"The Sun Never Sets on SARC"


April 2000 Newsletter


Mobile Code Special Edition


The following is a list of the top reported viruses, trojans and worms to SARC's regional offices during the last month.

Asia Pacific








New Virus Hoaxes reported to Symantec

Flashmaster G

This issue we've decided to focus on mobile code. What is mobile code? Well my definition is "code(software) that is transferred from a host to a client computer to be executed(run)". Typically mobile code is written with VBA, Javascript and similar technologies. In the anti-virus industry we focus on malicious mobile code.

Bruce McCorkendale provides us with great article that describes malicious mobile code and we have a write-up of the
BAT.Chode.Worm or '911 Worm' that the news networks picked up in Houton, Texas. Two new VBS worms surfaced in Asia, VBS.LeeBill and VBS.Freelove, both typically arriving embedded within HTML emails. We also had a few reports and samples of the Irok Trojan Worm.

Another macro virus got lucky in France early in the month,
W97M.Service.a targets French email address, that is addresses ending in .fr.

Coming up next month, Carey Nachenburg takes look at URL filtering and the issues to be considered when implementing such systems.

David Banes,


Malicious Mobile Code

What if you visited a seemingly reputable web site and unknowingly downloaded a script that changed all your computer settings? Or worse, stole your data? What can you do when a trusted web site proves untrustworthy?

Most commonly found on web sites, mobile code (or a mobile agent) is an application that travels across the Internet and executes on your computer. Most commonly, mobile code runs in your web browser. With ActiveX, Java and JavaScript enhancing many web sites, chances are, you run mobile code every time you browse the web.

While many web sites use mobile code to add usability, functionality and appeal, hackers may also use it to infect your computer with a virus, steal private information, or reformat your hard drive.

Fundamentally different from viruses, malicious applets or ActiveX controls do not replicate themselves or simply corrupt data (but they can). Instead, they steal data or disable systems.

How do you protect yourself?

Know that you can expose yourself to unscrupulous mobile code by:

  • Viewing a dynamically generated page,
  • Browsing a lesser-known web site,
  • Following links (in email, newsgroups, or web sites), and
  • Using interactive forms (they can call up ActiveX controls or JavaScript).

You can disable Java, JavaScript and ActiveX from running in your web browser by editing your browser preferences. However, doing so prevents you from visiting many sites, disable some features or navigation, and prove seriously inconvenient.

Or, you can look into a security program that will protect your computer from malicious mobile code. By combining firewall and antivirus technologies Norton Internet Security 2000 ensures the maximum level of protection against malicious Internet code. NIS 2000 protects you by:

  • Allowing only those sites you know and trust to run Java, JavaScript and ActiveX controls, while preventing all other sites from doing so.
  • Fully scanning all Java applets and ActiveX controls with Norton Antivirus for malicious code and will protect your system files, applications and personal files, thus keeping your data safe.

Recommended by Windows Magazine's esteemed WinList, Norton Internet Security 2000 offers comprehensive security protection for your computer. Please take the time to learn more about how Norton Internet Security 2000 makes Internet surfing worry free.

by Bruce McCorkendale
Symantec, Architect.

Worms in the News




BAT.Chode.Worm is an internet-worm that uses BAT files. It searches through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer has its C drive shared, it will copy its files into the other computer. Common in Houston, Texas, USA.
by: Raul K. Elnitiarta
SARC, Europe, Middle East & Africa

VBS.Freelove is a VBScript Worm which uses mIRC and email to spread itself
from host to host. It does not have harmfull payload.

The first thing it does is create copies of itself in these two locations;


It then changes the Windows security settings, presumably to a lower level.

It then replaces the code with it's own, in all files in the Windows directory
that have an extension of *.vbs. Freelove then creates a file called;


in which it writes commands to dcc itself to other people.

This worm then emails itself to everyone in your MAPI address book using the
following Subject for the message;

"Important Notice From " & Application.UserName

The message body will be the following;

"Heya, check out the attachment attached to this email asap!"

Removal consists of simply deleting the files;


and then resetting your security settings to Medium or High, however you had them previously configured.

VBS.Leebill is a JScript Trojan that was sent as part of the body of an HTML email from an account held at a free email provider. It relies on the Windows Scripting Host(WSH) which is part of Windows 98, Windows 2000 and available as a download for Windows 95.

Leebill is very similar top VBS.APS but has an extra function to modify the WIN.INI so that it runs a file called MSIE.HTA when Windows starts.

by David Banes
SARC, Asia Pacific

VBS.Network attempts to copy itself to network drives by first locating shared network drives, then mapping them to a local drive letter. Once a drive is infected, the worm tries to copy itself to the \Startup folder of the drive (assuming the infected drive is a Win95/98/NT system drive) to ensure execution at start-up. The worm remains in memory until the system is restarted.

by: Andy Cianciotto

Viruses in the News



          W97M.Service.A is a polymorphic macro virus that uses MS Outlook to send itself. It sends to the first 50 email addresses that end with ".fr" in an MS Outlook address book (the first 50 France email address in every MS Outlook address book).

by: Raul K. Elnitiarta
SARC, Europe, Middle East & Africa
Trojans in the News




Irok.Trojan.Worm is a malicious worm that spreads itself using Microsoft Outlook email and Internet Relay Chat (IRC). The worm is sent as an email attachment. The message contains the following text:

Subject: I thought you might like to see this

and the body of the email message;

I thought you might like this.
I got it from paramount pictures website.
It's a startrek screen saver.

When the Irok.exe is run, a black screen appears that makes the user appear they are navigating through space. In the background, the worm copies itself to C:\Windows\System directory and inserts the Irokrun.Vbs file in C:\Windows\StartMenu\Startup. It will prepend itself to executable files and the virus has been known to corrupt its host. The Irokrun.VBS script will use Microsoft Outlook to send the same email to the first 60 entries in the users address book.

The Irok.exe attachment is launched and the VBS file is executed on reboot of machine.

When a user clicks on the attachment, a screen appears like one is navigating through space. Pressing the ESC key or SPACEBAR can quit the application. The worm has now copied itself in the C:\Windows\System directory and also imports a file called Irokrun.vbs in C:\Windows\StartMenu\Startup. A file named WinRDE.DLL is inserted in the C:\Windows\System. From this point on, all executable files are infected and will fail to run properly. Users would then reboot and the Irokrun.vbs file will be executed on machines with a Windows Scripting Host (WSH) installed. WSH is installed by default in Windows 98 and is also found on Windows 95 and Windows NT systems with Internet Explorer 5 installed. The Irokrun.VBS script will use Microsoft Outlook to send the same email to the first 60 entries in the users address book. It will then attach the Irok.exe file from C:\Windows\System directory.

The infectious files Irok.exe, Irokrun.vbs, and WinRDE.DLL should be deleted. Infected Users should also delete all files detected as Irok.Trojan.Worm.
Edric Ta


SARC Glossary, what's the difference between a virus and a worm?

          Correspondence by email to:
Send virus samples to:
Newsletter Archive:
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at:
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.


          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-2000 Symantec Corporation. All rights reserved.