Virus Alert! Life_Stages virus outbreak... (6/19/2000)

Question

Virus Alert! Life_Stages virus outbreak... (6/19/2000)

Answer

This question was answered on June 19, 2000. Much of the information contained herein may have changed since posting.

Another variation of the VBS based ILOVEYOU virus is on the loose and spreading fast. As in the past, the most likely victims will be on corporate mail servers using the Microsoft Outlook e-mail program. The difference with this new strain is that it uses the *.SHS extension instead of the *.VBS extension. This is what is allowing it to get past existing filtering schemes on corporate mail servers.

System administrators should add the *.SHS to existing filters and make users aware of this new varation.

Our previous tips on avoiding these virus strains is still effective. To review our recommendations, click on the link below:

<a href="http://www.computerproblems.com/kenscolumns.cfm?ColumnID=41"><font color="#003399">http://www.computerproblems.com/kenscolumns.cfm?ColumnID=41</font></a>

Here is the information that has been posted at the Norton Anti-virus site:

Virus name: VBS.Stages.A

This worm appears as an attachment titled LIFE_STAGES.TXT.SHS. Execution of this attachment will open a text file in Notepad displaying the male and female stages of life. While the user is reading the text file the script is executing in the background. This worm spreads itself using Outlook, ICQ, mIRC and PIRCH. SARC suggests that corporate customers configure their email filtering systems to filter out or stop all incoming emails that have attachments with .SHS extensions. Beta quality definitions for this worm are available here.

Also known as: IRC/Stages.worm, Life_Stages Worm

Category: Worm

Infection length: 39,936 bytes

Virus definitions: Certified definitions pending. Available here as beta defs.

Threat assessment:

Wild: HIGH

Damage: LOW

Distribution: HIGH

Wild

Number of infections: 0-49

Number of sites: 0-2

Geographical distribution: Low

Threat containment: Easy

Removal: Difficult

Damage

Payload trigger:

Execution of the LIFE_STAGES.TXT.SHS attachment

Payload:

Large sale e-mailing: Sends mail to entire MS Outlook address book

Modifies files: System registry, Regedit.exe

Causes system instability: Could overload mail servers

Distribution

Subject of e-mail: There are 12 possibilities for the subject of the email

Name of attachment: LIFE_STAGES.TXT.SHS

Size of attachment: 39,936 bytes

Shared drives: Copies itself to mapped drives

Technical description:

An SHS file is a Microsoft Scrap Object file. These types of files are executable and can contain a wide variety of objects. The scrap object (SHS) extension does not appear in Windows Explorer even if all file extensions are displayed. Upon executing this worm, your system is modified in many different ways:

SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are created in the \WINDOWS\SYSTEM directory.

The registry key HKLM/Software/Microsoft/Windows/

CurrentVersion/RunServices/ScanReg is added to run the SCANREG.VBS file upon startup.

LIFE_STAGES.TXT.SHS is created into the \WINDOWS directory.

A randomly named file in the format of Rand1+Rand2+Rand3.txt.shs where Rand1 = IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN and Rand2 = - or _ and Rand3 = a random number between 1 and 1000 is created into the root directory of all mapped drives, into \My Documents and into \WINDOWS\START MENU\PROGRAMS. For example, report_439.txt.shs or IMPORTANT-707.TXT.SHS.

The file regedit.exe is moved into the Recycle Bin as a hidden system file named RECYCLED.VXD.

MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS are created into the Recycled Bin as hidden system files. MSRYCLD.DAT is a copy of the original SHS file. RCYCLDBN.DAT is a copy of the SCANREG.VBS file. DBINDEX.VBS is set to be executed when ICQ is run.

The script for mIRC is modified to call the file SOUND32B.DLL which causes the worm to spread through mIRC and PIRCH.

The worm sends an email to addresses listed in your MS Outlook Address book. The email contains the LIFE_STAGES.TXT.SHS attachment. The subject of the email is randomly generated and can be one of twelve strings. It may or may not begin with "Fw:". It will contain either "Life stages", "Funny" or "Jokes" and may or may not be followed by "text". Examples would be "Fw: Life stages", "Jokes text" or "Fw: Funny text". The worm immediately deletes copies of the emails after they have been sent to insure there is no record of its presence.

Removal:

You must delete all .txt.shs files from your system. Also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory. You will need to restore the registry using regedit. To do this, first open a command prompt and change to the \RECYCLED directory. Using the attrib command, modify the settings of the files which the worm creates there. The command would be attrib -hsr recycled.vxd and so on for each of these files. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then delete the 4 files you modified.

Using regedit make the following modifications to the registry:

Delete the value HKLM/Software/Microsoft/Windows/RunServices/Scanreg.

Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/Mirabilis/

ICQ/Agent/Apps/ICQ

Delete the value HKLM/Software/Microsoft/Windows/CurrentVersion/OSName.

Modify the value for HKCR/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.

Modify the value for HKCR/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.

Modify the value for HKLM/Software/CLASSES/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.

Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.

Author

Posted by Ken of Data Doctors on June 19, 2000