|
NISER > Alerts > MyCERT Advisories & Summaries > MA-020.062000: VBS.Stages.A Worm
MA-020.062000: VBS.Stages.A Worm
Original Issue Date: 21st June 2000
1.0 DESCRIPTION
1.1 Overview
This is a multi-application Internet worm which is designed with intent to spread using one of four spreading mechanisms. This worm takes advantage of Pirch, Outlook, mIRC, and also spreads to available mapped drives. This worm appears as an attachment named "LIFE_STAGES.TXT.SHS". When you execute the attachment, it will open a text file in notepad, describing the male and female stages of life. While reading the text file, a script runs in the background to spread the worm using Outlook, ICQ, mIRC or PIRCH or mapped drives.
1.2 Limitation
1.2.1 The worm will only be activated once the file LIFE_STAGES.TXT.SHS is executed.
1.2.2 It requires Windows operating system and it takes advantage of installations of Pirch, Outlook, mIRC, ICQ and also mapped drives to spreads.
1.3 Aliases
2.0 TECHNICAL MATTERS
2.1 Installation and Functionality
2.1 Installation and Functionality
This worm may arrive by email in the following format:
Subject: [P1]+[P2]+[P3]
Body: > The male and female stages of life.
Attachment: LIFE_STAGES.TXT.SHS
In the above, the subject line is variable, but limited to 12 possible combinations. P1, P2 & P3 are chosen from the respective lists below:
P1 - "FW: ", ""
P2 - "Life stages", "Funny", "Jokes"
P3 - " text", ""
Examples:
Subject = "Funny"
Subject = "FW: Jokes text"
Subject = "Life stages"
The recipients are "blind carbon copied" or "bcc". As soon as the emails are sent, the worm deletes copies of the messages so that there is no record of its presence.
Note: SHS files is a Shell Scrap Object file. They can be anything from authentic file to a trojan application and they are executable. One feature of SHS files is that the extension .SHS does not appears in Windows Explorer even though the file system is configured to "show all files" and "show extensions of known file types".
According to McAfee (www.nai.com), upon executing this worm, your system is modified as follows:
-
extracts "LIFE_STAGES.TXT.VBS" and runs from the temp folder.
-
sends itself via MAPI email to a random number of recipients. The recipients are "blind carbon copied" or "bcc".
-
moves REGEDIT.EXE from the Windows folder to the recycle bin as "RECYCLED.VXD", modifies registry to use this relocated file when importing or using registry type files.
-
creates files of random names throughout the local system and all available drives; fixed names include the following:
c:\WINDOWS\SYSTEM\MSINFO16.TLB
c:\WINDOWS\SYSTEM\SCANREG.VBS
c:\WINDOWS\SYSTEM\VBASET.OLB
c:\RECYCLED\DBINDEX.VBS
c:\RECYCLED\MSRCYCLD.DAT
c:\RECYCLED\RCYCLDBN.DAT
c:\RECYCLED\RECYCLED.VXD (really REGEDIT.EXE)
The following are examples of random names generated:
c:\report.txt.shs
c:\My Documents\IMPORTANT.TXT.SHS
c:\WINDOWS\LIFE_STAGES.TXT.SHS
c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs
In the creation of random named SHS files, this worm uses the following algorithm to determine a name:
([Random1]+[Random2]+[Random3])+TXT+SHS.
Random1 is a selection of one of five choices:
"IMPORTANT"
"INFO"
"REPORT"
"SECRET"
"UNKNOWN"
Random2 is a selection of one of two choices:
Random3 is a randomly generated number between 0 and 999.
The combination of these three randomizations results in 10,000 possible different names.
-
modifies the registry to run SCANREG.VBS at Windows startup
-
modifies the registry to run DBINDEX.VBS when loading ICQ
-
modifies the registry to run RECYCLED.VXD when calls are made to run REGEDIT type files
-
modifies MIRC.INI to load an auxiliary script file for PIRCH/mIRC installations
-
creates SOUND32B.DLL whenever Windows restarts in the Windows folder via SCANREG.VBS; SOUND32B.DLL is an auxiliary script file called by MIRC.INI; SOUND32B.DLL contains instructions to send the file LIFE_STAGES.TXT.SHS when connecting to IRC channels
-
modifies the following registry settings (to recover, modify these to original "from" settings):
HKLM\Software\CLASSES\regfile\DefaultIcon
Value "@":
from "C:\WINDOWS\regedit.exe,1"
to "C:\RECYCLED\RECYCLED.VXD,1"
HKLM\Software\CLASSES\regfile\shell\open\command
Value "@":
from "regedit.exe "%1""
to "C:\RECYCLED\RECYCLED.VXD "%1""
-
creates the following registry settings (to recover, delete these keys):
HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Parameters="C:\RECYCLED\DBINDEX.VBS"
HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Path="C:\WINDOWS\WSCRIPT.EXE"
HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Startup="C:\WINDOWS"
HKLM\Software\CLASSES\txtfile\
AlwaysShowExt=""
HKLM\Software\Microsoft\Windows\CurrentVersion\
OSName="Microsoft Windows"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
ScanReg="C:\WINDOWS\WSCRIPT.EXE C:\WINDOWS\SYSTEM\SCANREG.VBS"
3.0 POSSIBLE STEPS
3.1 Prevention
-
DO NOT execute the attachment " LIFE_STAGES.TXT.SHS ". Delete the email including those that are sent to the Trash folder.
-
Regularly update the virus definition file of your antivirus software and run a virus scan on the computer. This is to ensure that the software is able to detect the presence of a new virus. The list of known antivirus vendor can be found at http://www.mycert.mimos.my/anti-virus.htm
-
For Windows 95/98 users, you should disable "Windows Scripting Host" by following these steps:
3.2 Detection
-
Modification to the system as described in 2.2 Installation and Functionality.
-
Always run a virus scan on all email attachments and any downloadable files before executing it. It is advisable that your antivirus software is running in "Auto Protect Mode" all the time.
3.3 Removal
3.3.1 Auto Removal
Symantec (www.symantec.com) has developed a free, downloadable tool to repair the damage done by the worm. Please go to http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html
Download the tool to a folder on your hard drive and double-click it to run the tool. Additions instructions are available on the download page.
McAfee has developed a free tool to removes registry entries created by this worm. It can be downloaded at http://download.nai.com/products/Mcafee-Avert/killstag.zip
3.3.2 Manual Removal
What follows are manual removal instructions provided by Symantec. In most cases, we recommend that you download and run the previously mentioned removal tool. If you are not able to do so at this time, or if you prefer to use the manual removal procedure, please follow, in turn, the instructions in each section.
NOTE: Due to the large number of modifications made to the system by the worm, the procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a computer consultant.
Find and delete files
Please follow these steps to locate and remove some of the files that were added by the worm:
-
Click Start, point to Find, and then click Files or Folders.
-
Make sure that Look In is pointing to C:, or All Drives if you have more than one.
-
In the Named box, type *.shs and then click Find Now.
-
In the Results pane, select any .txt.shs files and then press Delete. Click Yes to confirm.
-
Click New Search.
-
In the Named box, type scanreg.vbs vbaset.olb msinfo16.tlb and then click Find Now.
-
In the Results pane, select the files that are found--they should be in the \Windows\System folder--and press then Delete. Click Yes to confirm.
Restore the Registry Editor
The worm moves the Registry Editor to the Recycle Bin and renames it. Please follow these steps to restore it:
NOTES:
-
When typing the fourth entry, if you have Windows installed to a location other that C:\Windows. Please make the appropriate substitution when typing the path. If you are using Windows NT, the default path is C:\Winnt.
-
If you see the message "File not found," reenter the command to make sure that it was entered correctly. If you still receive the message, go on to the next command.
-
If you are prompted to overwrite files, first make sure that you have typed the command correctly and then press Y.
-
Click Start, point to Programs, and then click MS-DOS Prompt.
-
Type each of the following commands and press Enter after each one:
cd\
cd recycled
attrib -h -s -r *.*
copy recycled.vxd c:\windows\regedit.exe
del recycled.vxd
del msrcycld.dat
del rcycldbn.dat
del dbindex.vbs
exit
Edit the Registry
Follow these steps to undo the changes made to the Windows Registry by the worm:
WARNING:
We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document, How to Back Up the Windows 95/98/NT Registry (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617) before proceeding.
-
Click Start, and click Run. The Run dialog box appears.
-
Type regedit and then click OK. The Registry Editor opens.
-
Navigate to the following key:
-
In the right pane, locate and select the Scanreg value. Press Delete, and then click Yes to confirm.
-
Navigate to the following key:
-
In the right pane, locate and delete the following values:
-
Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OSName
NOTE: This may not exist on all computers.
-
If it exists, press Delete, and then click Yes to confirm.
-
Navigate to the following key:
-
In the right pane, double-click Default.
-
In the Value data box, delete the current text and then type: regedit.exe
-
Click OK.
-
Navigate to the following key:
-
In the right pane, double-click Default.
-
In the Value data box, delete the current text and then type: regedit.exe
-
Click OK.
-
Navigate to the following key:
-
In the right pane, double-click Default.
-
In the Value data box, delete the current text and then type: regedit.exe
NOTE: If you have Windows installed to a location other than C:\Windows. please make the appropriate substitution when typing the path.
-
Click OK.
-
Navigate to the following key:
-
In the right pane, double-click Default.
-
In the Value data box, delete the current text, and then type: regedit.exe
NOTE: If you have Windows installed to a location other than C:\Windows then please make the appropriate substitution when typing the path.
-
Click OK.
-
Exit the registry Editor.
4.0 MORE INFORMATION
Disclaimers and copyright information
Last Update April 19, 2001
|