VBS.Stages.A

This worm appears as an attachment titled LIFE_STAGES.TXT.SHS. Execution of this attachment will open a text file in Notepad displaying
the male and female stages of life. Whilst the user is reading the text file the script is executing in the background. This worm spreads
itself using Outlook, ICQ, mIRC and PIRCH. SARC suggests that corporate customers configure their email filtering systems to filter out or
stop all incoming emails that have attachments with .SHS extensions.


Also known as: IRC/Stages.worm, Life_Stages Worm, VBS_Stages.A

Category: Worm

Infection length: 39,936 bytes

Virus definitions: June 16, 2000

Threat assessment:

  
Wild:
High  Damage:
Low  Distribution:
High 
 

Wild

Number of infections: 50-999
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Difficult

Damage

Payload trigger: Execution of the LIFE_STAGES.TXT.SHS attachment
Payload:
Large scale e-mailing: Sends mail to entire MS Outlook address book
Modifies files: System registry, Regedit.exe
Causes system instability: Could overload mail servers
Distribution

Subject of e-mail: There are 12 possibilities for the subject of the email
Name of attachment: LIFE_STAGES.TXT.SHS
Size of attachment: 39,936 bytes
Shared drives: Copies itself to mapped drives
Technical description:

An SHS file is a Microsoft Scrap Object file. These types of files are executable and can contain a wide variety of objects. The scrap
object (SHS) extension does not appear in Windows Explorer even if all file extensions are displayed. Upon executing this worm, your
system is modified in many different ways:

SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are dropped into the \WINDOWS\SYSTEM directory.
The registry key HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices/ScanReg is added to run the SCANREG.VBS file upon startup.
LIFE_STAGES.TXT.SHS is dropped into the \WINDOWS directory.

A randomly named file in the format of Rand1+Rand2+Rand3.txt.shs where Rand1 = IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN and
Rand2 = - or _ and Rand3 = a random number between 1 and 1000 is dropped into the root directory of all mapped drives, into \My Documents
and into \WINDOWS\START MENU\PROGRAMS. For example, report_439.txt.shs or IMPORTANT-707.TXT.SHS.

The file regedit.exe is moved into the Recycle Bin as a hidden system file named RECYCLED.VXD.
MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS are dropped into the Recycled Bin as hidden system files. MSRYCLD.DAT is a copy of the original
SHS file. RCYCLDBN.DAT is a copy of the SCANREG.VBS file. DBINDEX.VBS is set to be executed when ICQ is run.
The script for mIRC is modified to call the file SOUND32B.DLL which causes the worm to spread through mIRC and PIRCH.
The worm sends an email to addresses listed in your MS Outlook Address book. The email contains the LIFE_STAGES.TXT.SHS attachment.

The subject of the email is randomly generated and can be one of twelve strings. It may or may not begin with "Fw:". It will contain either
"Life stages", "Funny" or "Jokes" and may or may not be followed by "text". Examples would be "Fw: Life stages", "Jokes text" or "Fw: Funny text".

The worm immediately deletes copies of the emails after they have been sent to insure there is no record of its presence.