|  | ||||||||||||||||||||||||||||||||
Name: VBS/Stages.A
Aliases: Stages.a,IRC/Stages.worm,Life_Stages Worm, I-Worm.Scrapworm,IRC/Stages.ini,LIFE_STAGES.TXT.SHS, ShellScrap Worm,VBS/LifeStages,VBS/Stages.14558, VBS/Stages.2542,VBS/Stages.worm,VBS_STAGES Variants: Type: WinScript Worm Platforms: Windows Status: in the wild Threat: high The following has been derived from information provided by Symantec, Trend and Network Associates. Virus Characteristics VBS/Stages.a is a worm, which spreads using multiple applications including Microsoft Outlook, Pirch, mIRC, and mapped drives. This worm may arrive via email with a scrap file attachment (LIFE_STAGES.TXT.SHS). The file extension is not shown and the file assumes the icon of a text file encouraging users to believe that the attached file is indeed only a text file. When this scrap file is executed, notepad is launched to display a text file containing a joke about the stages of life of both male and female. The worm may arrive in an e-mail similar to the following: Subject of e-mail: One of the following: "Funny", "Jokes", "Life stages", "Fw: Funny", "Fw: Jokes", "Fw: Life Stages", "Funny text", "Jokes text", "Life stages text", "Fw: Funny text", "Fw: Jokes text", "Fw: Life Stages text" Name of attachment: LIFE_STAGES.TXT.SHS Size of attachment: 39,936 bytes An SHS file is a Microsoft Scrap Object file. These types of files are executable and can contain a wide variety of objects. The scrap object (SHS) extension does not appear in Windows Explorer even if all file extensions are displayed due to a registry entry for Shell Scrap file types: HKEY_CLASSES_ROOT\ShellScrap "NeverShowExt"="0" Users can change this by renaming the entry above from "NeverShowExt" to "AlwaysShowExt". Users can even delete the entry. Once it is modified, user must log off and log back into Windows for the change to take effect. Payload If the worm is executed, SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are created in the \WINDOWS\SYSTEM directory. The registry key HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices/ScanReg is added to run the SCANREG.VBS file upon startup. LIFE_STAGES.TXT.SHS is created in the \WINDOWS directory. A randomly named file in the format of Rand1+Rand2+Rand3.txt.shs where Rand1 = IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN and Rand2 = - or _ and Rand3 = a random number between 0 and 999 is created in the root directory of all mapped drives, in \My Documents and in \WINDOWS\START MENU\PROGRAMS. For example, report_439.txt.shs or IMPORTANT-707.TXT.SHS. The file regedit.exe is moved into the Recycle Bin as a hidden system file named RECYCLED.VXD. MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS are also created in the Recycled Bin as hidden system files. MSRCYCLD.DAT is a copy of the original SHS file. RCYCLDBN.DAT is a copy of the SCANREG.VBS file. DBINDEX.VBS is set to be executed when ICQ is run. The script for mIRC is modified to call the file SOUND32B.DLL which causes the worm to spread through mIRC and PIRCH. The worm sends an email to addresses listed in your MS Outlook Address book. The email includes LIFE_STAGES.TXT.SHS as an attachment and the subject is one of the twelve listed above. The worm immediately deletes copies of the emails after they have been sent to elude detection. Manual Removal 1. Delete all .txt.shs files from your system. 2. Delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory. 3. Recover the REGEDIT.EXE file: Open a command prompt and change to the \RECYCLED directory. Using the attrib command, modify the settings of the files which the worm creates there. The command would be attrib -hsr recycled.vxd and so on for each of these files. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE. Delete the 4 files you modified. 4. Using regedit make the following modifications to the registry: Delete the value HKLM/Software/Microsoft/Windows/RunServices/Scanreg. Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/Mirabilis/ICQ/Agent/Apps/ICQ. Delete the value HKLM/Software/Microsoft/Windows/CurrentVersion/OSName. Modify the value for HKCR/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE. Modify the value for HKCR/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE. Modify the value for HKLM/Software/CLASSES/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE. Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE. < - Virus Information Index - >
| | |||||||||||||||||||||||||
