Visual Basic virus links e-mail to porn sites

A new virus that appears in e-mail files with the subject line "Check this" creates links to adult Web sites, then searches through an infected system's address book and automatically sends the e-mail to those names. It isn't known how many PCs have been infected with the virus.

Observers said the scam is more embarrassing than destructive to computer systems because e-mails touting the porn site appear to be coming from the address book's owner, but it's also an annoying marketing tactic.

"A lot of porn sites realize their income by the number of impressions they tell their advertisers they get," said Jim Kerins, chief operations officer at the National Fraud Center, a for-profit electronic privacy and database security company in Horsham, Pennsylvania. "This is a way of falsely inflating the number of impressions you can get. Especially at these pornography sites, they can get you to come to their sites by hook or crook."

According to antivirus vendor Network Associates, the Visual Basic script worm distributes itself as an e-mail attachment and attempts to involve two common Internet relay chat clients, which are programs used to chat online. The "to" field of the e-mail is always empty, and the e-mail subject appears as "Check this."

The e-mail body has the attachment "links.vbs." When someone opens that attachment on a system that supports Windows scripting, which is usually installed by default on Windows 98 and Windows 2000, the worm deposits two Visual Basic script files on the system. A message box then displays "DesktopFREE XXX LINKS.URL" and asks if the recipient wants to continue. If the person replies "yes," a desktop shortcut symbol "FREEXXX LINKS" is created, linking to an adult Web site.

The worm also searches all address entries if Microsoft Outlook 98 or Outlook 2000 are running, Network Associates said.