This worm that affects Windows users, initially discovered and reported in March 1999, has recently been spreading through campus departments.  The worm is spread via an email attachment called "Links.vbs."  Once the email attachment is activated, the virus will infect your computer and will try to send copies of itself to any email addresses contained in Microsoft Outlook.  If you receive email containing the "Links.vbs" attachment, write down who the message came from (so you can let them know that they are infected) and then DELETE the email message.

Details (from Network Associates)
This VB-Script worm distributes itself as an email attachment and attempts to invoke two common IRC clients. The 'To' field of the email is always empty and the email subject always appears as:

The email body contains the attachment, normally 'Links.vbs', and the line:

Have fun with these links.
Bye.

When the recipient opens (runs) this script attachment on a system, which supports the Windows Scripting host ( installed by default in Windows98 and Windows2000 ) the encrypted worm will drop two VBS script files on the system:

%Windows%\Links.vbs
%Windows%\System\Rundll.vbs

On Windows NT systems, the files are placed in the following folders:

C:\WINNT\links.vbs
C:\WINNT\SYSTEM32\rundll.vbs

Then a message box will be displayed like:

DesktopFREE XXX LINKS.URL
This will add a shortcut to the XXX sites on your desktop.
Do you want to continue (Yes/No).

If Yes was answered a desktop shortcut symbol 'FREE XXX LINKS' is created, linking to an adult website. Afterwards (in both cases) the worm continues to look for mapped drives to also copy \Links.vbs to their root directory. Execution, thus possibly further spreading, here is only possible if another user activates the script file manually. Now the main distribution method is called:

If MS Outlook98 or MS Outlook2000 are running, the worm will search all address entries in all Outlook address books ( Global, Personal, Contacts etc.) to create a list of recipients, which will be BCC-ed (thus not visible in the TO field) on the generated message containing the worm attachment.
The second file 'Rundll.vbs' will be installed in the registry to run
automatically on Windows startup, using the particular key:
\HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run\Rundll

When RunDll.vbs is executed, the file Links.vbs will be re-encrypted differently and the code searches for two installed IRC software clients by searching the complete directories of C:\MIRC, C:\Pirch98 for the executables Mirc32.exe and Pirch98.exe. Additionally the local system 'Programs files' folder of Windows is
examined the same way. If one IRC installation is found, the appropriate INI script is dropped on this location: Script.ini or Events.ini. If the client software is able to support these script commands, during the next IRC session the worm
%Windows%\Links.vbs is send via DCC, when a user joins a channel.
 
Removal the Worm with McAfee AntiVirus

Updated versions of the McAfee Anti-Virus software are capable of detecting and removing the worm.  If you do not have the McAfee anti-virus software, download it from the Virus Notification Program web page and then update it.

To run the scan after McAfee has been installed and updated and the computer restarted:

1. Click on Start, then Programs, then McAfee Virus Scan or Network Associates Virus Scan, and then Virus Scan.

2. When the virus scan window opens, there will be a text box labled Scan in.  In the box, make sure the hard drive that Windows is installed on (usually C) is written in the box.  Beneath the box is an area where you can set which files you want to scan.  Make sure that All files is selected, otherwise the scan will not detect the infected files.

3. Click on the Scan Now button.

4. During the scan, it will detect the infected file and ask what you want to do with it.  Hit the Delete button.

Note:  If you get an error message saying that the file could not be deleted, it has been our experience that the file is in fact deleted at this time despite the warning to the contrary.  You can always check afterwards to make sure the infected file Rundll.vbs is no longer in your Windows/System (or in NT, Winnt/System32) directory.

5. Let the scan continue by pressing the Continue button.

6. Once the scan is complete, go into your Windows or your Winnt directory and find the file called "Links.vbs".  Delete the file--DO NOT open it, as it could reinfect your machine.

7. Reboot your machine.
 
Removing the Worm Manually

1. Click on the Start button and choose Run.

2. In the Open box, type "regedit" (without the quotation marks) and hit the Enter or Return key.

3. The Registry Editor will open.  In the left column is a list of the registry keys.  Click on the "+" sign next to HKEY_Local_Machine.

4. A new sublisting will appear.  From this sublisting, click on the "+" sign next to Software.  In the next sublisting, click on the "+" sign for Microsoft, then Windows in the next sublisting, then CurrentVersion, then Run.  At the bottom of the Registry Editor screen in the status bar, you should see this key listing:
\HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run\

5. In the right column will be a listing of files that are run when Windows is started.  Click (highlight) the listing for
Rundll=rundll.vbs
 
...and hit the Delete key on your keyboard to remove the registry entry.

6. Exit Registry Editor.

7. Delete the following files if they exist:

For Windows 95/98:
C:\Windows\Links.vbs
C:\Windows\Rundll.vbs

For Windows NT:
C:\Winnt\Links.vbs
C:\Winnt\Rundll.vbs

8.  Restart the computer.