Virus Alert! Life_Stages virus outbreak... (6/19/2000)
This question was answered on June 19, 2000. Much of the information contained herein may have changed since posting.
Another variation of the VBS based ILOVEYOU virus is on the loose and spreading fast As in the past, the most likely victims will be on corporate mail servers using the Microsoft Outlook e-mail program The difference with this new strain is that it uses the *.SHS extension instead of the *.VBS extension This is what is allowing it to get past existing filtering schemes on corporate mail servers.
System administrators should add the *.SHS to existing filters and make users aware of this new varation.
Our previous tips on avoiding these virus strains is still effective To review our recommendations, click on the link below:
<a href="http://www.computerproblems.com/kenscolumns.cfm?ColumnID=41"><font color="#003399">http://www.computerproblems.com/kenscolumns.cfm?ColumnID=41</font></a>
Here is the information that has been posted at the Norton Anti-virus site:
Virus name: VBS.Stages.A
This worm appears as an attachment titled LIFE_STAGES.TXT.SHS Execution of this attachment will open a text file in Notepad displaying the male and female stages of life While the user is reading the text file the script is executing in the background This worm spreads itself using Outlook, ICQ, mIRC and PIRCH SARC suggests that corporate customers configure their email filtering systems to filter out or stop all incoming emails that have attachments with .SHS extensions Beta quality definitions for this worm are available here
Also known as: IRC/Stages.worm, Life_Stages Worm
Infection length: 39,936 bytes
Virus definitions: Certified definitions pending Available here as beta defs.
Number of infections: 0-49
Number of sites: 0-2
Geographical distribution: Low
Threat containment: Easy
Execution of the LIFE_STAGES.TXT.SHS attachment
Large sale e-mailing: Sends mail to entire MS Outlook address book
Modifies files: System registry, Regedit.exe
Causes system instability: Could overload mail servers
Subject of e-mail: There are 12 possibilities for the subject of the email
Name of attachment: LIFE_STAGES.TXT.SHS
Size of attachment: 39,936 bytes
Shared drives: Copies itself to mapped drives
An SHS file is a Microsoft Scrap Object file These types of files are executable and can contain a wide variety of objects The scrap object (SHS) extension does not appear in Windows Explorer even if all file extensions are displayed Upon executing this worm, your system is modified in many different ways:
SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are created in the \WINDOWS\SYSTEM directory
The registry key HKLM/Software/Microsoft/Windows/
CurrentVersion/RunServices/ScanReg is added to run the SCANREG.VBS file upon startup
LIFE_STAGES.TXT.SHS is created into the \WINDOWS directory
A randomly named file in the format of Rand1 Rand2 Rand3.txt.shs where Rand1 = IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN and Rand2 = - or _ and Rand3 = a random number between 1 and 1000 is created into the root directory of all mapped drives, into \My Documents and into \WINDOWS\START MENU\PROGRAMS For example, report_439.txt.shs or IMPORTANT-707.TXT.SHS
The file regedit.exe is moved into the Recycle Bin as a hidden system file named RECYCLED.VXD
MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS are created into the Recycled Bin as hidden system files MSRYCLD.DAT is a copy of the original SHS file RCYCLDBN.DAT is a copy of the SCANREG.VBS file DBINDEX.VBS is set to be executed when ICQ is run
The script for mIRC is modified to call the file SOUND32B.DLL which causes the worm to spread through mIRC and PIRCH
The worm sends an email to addresses listed in your MS Outlook Address book The email contains the LIFE_STAGES.TXT.SHS attachment The subject of the email is randomly generated and can be one of twelve strings It may or may not begin with "Fw:" It will contain either "Life stages", "Funny" or "Jokes" and may or may not be followed by "text" Examples would be "Fw: Life stages", "Jokes text" or "Fw: Funny text" The worm immediately deletes copies of the emails after they have been sent to insure there is no record of its presence
You must delete all .txt.shs files from your system Also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory You will need to restore the registry using regedit To do this, first open a command prompt and change to the \RECYCLED directory Using the attrib command, modify the settings of the files which the worm creates there The command would be attrib -hsr recycled.vxd and so on for each of these files Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then delete the 4 files you modified
Using regedit make the following modifications to the registry:
Delete the value HKLM/Software/Microsoft/Windows/RunServices/Scanreg
Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/Mirabilis/
Delete the value HKLM/Software/Microsoft/Windows/CurrentVersion/OSName
Modify the value for HKCR/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE
Modify the value for HKCR/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE
Modify the value for HKLM/Software/CLASSES/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE
Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
About the author
Posted by Ken Colburn of Data Doctors on June 19, 2000
Need Help with this Issue?
We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!