1.0 DESCRIPTION

1.1 Overview

This is a multi-application Internet worm which is designed with intent to spread using one of four spreading mechanisms. This worm takes advantage of Pirch, Outlook, mIRC, and also spreads to available mapped drives. This worm appears as an attachment named "LIFE_STAGES.TXT.SHS". When you execute the attachment, it will open a text file in notepad, describing the male and female stages of life. While reading the text file, a script runs in the background to spread the worm using Outlook, ICQ, mIRC or PIRCH or mapped drives.

1.2 Limitation

1.2.1 The worm will only be activated once the file LIFE_STAGES.TXT.SHS is executed.

1.2.2 It requires Windows operating system and it takes advantage of installations of Pirch, Outlook, mIRC, ICQ and also mapped drives to spreads.

1.3 Aliases

The worm is also known as



• IRC/Stages.worm
• I-Worm.Scrapworm
• IRC/Stages.ini
• LIFE_STAGES.TXT.SHS
• ShellScrap Worm
• VBS/LifeStages
• VBS/Stages.14558
• VBS/Stages.2542
• VBS/Stages.worm
• VBS_STAGES

2.0 TECHNICAL MATTERS

2.1 Installation and Functionality

2.1 Installation and Functionality

This worm may arrive by email in the following format:

Subject: [P1]+[P2]+[P3]
Body: > The male and female stages of life.
Attachment: LIFE_STAGES.TXT.SHS 

In the above, the subject line is variable, but limited to 12 possible combinations. P1, P2 & P3 are chosen from the respective lists below:

P1 - "FW: ", ""
P2 - "Life stages", "Funny", "Jokes"
P3 - " text", ""

Examples:

Subject = "Funny"
Subject = "FW: Jokes text"
Subject = "Life stages"

The recipients are "blind carbon copied" or "bcc". As soon as the emails are sent, the worm deletes copies of the messages so that there is no record of its presence.

Note: SHS files is a Shell Scrap Object file. They can be anything from authentic file to a trojan application and they are executable. One feature of SHS files is that the extension .SHS does not appears in Windows Explorer even though the file system is configured to "show all files" and "show extensions of known file types".

According to McAfee (www.nai.com), upon executing this worm, your system is modified as follows:

• extracts "LIFE_STAGES.TXT.VBS" and runs from the temp folder.

• sends itself via MAPI email to a random number of recipients. The recipients are "blind carbon copied" or "bcc".

• moves REGEDIT.EXE from the Windows folder to the recycle bin as "RECYCLED.VXD", modifies registry to use this relocated file when importing or using registry type files.

• creates files of random names throughout the local system and all available drives; fixed names include the following:

  c:\WINDOWS\SYSTEM\MSINFO16.TLB
  c:\WINDOWS\SYSTEM\SCANREG.VBS
  c:\WINDOWS\SYSTEM\VBASET.OLB
  c:\RECYCLED\DBINDEX.VBS
  c:\RECYCLED\MSRCYCLD.DAT
  c:\RECYCLED\RCYCLDBN.DAT
  c:\RECYCLED\RECYCLED.VXD (really REGEDIT.EXE)
  

  The following are examples of random names generated:

  c:\report.txt.shs
  c:\My Documents\IMPORTANT.TXT.SHS
  c:\WINDOWS\LIFE_STAGES.TXT.SHS
  c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs
  

  In the creation of random named SHS files, this worm uses the following algorithm to determine a name:

  ([Random1]+[Random2]+[Random3])+TXT+SHS.
  
  

  Random1 is a selection of one of five choices:

  "IMPORTANT"
  "INFO"
  "REPORT"
  "SECRET"
  "UNKNOWN"
  

  Random2 is a selection of one of two choices:

  "-"
  "_"
  

  Random3 is a randomly generated number between 0 and 999.

  The combination of these three randomizations results in 10,000 possible different names.

• modifies the registry to run SCANREG.VBS at Windows startup

• modifies the registry to run DBINDEX.VBS when loading ICQ

• modifies the registry to run RECYCLED.VXD when calls are made to run REGEDIT type files

• modifies MIRC.INI to load an auxiliary script file for PIRCH/mIRC installations

• creates SOUND32B.DLL whenever Windows restarts in the Windows folder via SCANREG.VBS; SOUND32B.DLL is an auxiliary script file called by MIRC.INI; SOUND32B.DLL contains instructions to send the file LIFE_STAGES.TXT.SHS when connecting to IRC channels

• modifies the following registry settings (to recover, modify these to original "from" settings):

  HKLM\Software\CLASSES\regfile\DefaultIcon
  Value "@":
  from "C:\WINDOWS\regedit.exe,1"
  to "C:\RECYCLED\RECYCLED.VXD,1"
  
  HKLM\Software\CLASSES\regfile\shell\open\command
  Value "@":
  from "regedit.exe "%1""
  to "C:\RECYCLED\RECYCLED.VXD "%1""
  
  

• creates the following registry settings (to recover, delete these keys):

  HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
  Parameters="C:\RECYCLED\DBINDEX.VBS"
  
  HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
  Path="C:\WINDOWS\WSCRIPT.EXE"
  
  HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
  Startup="C:\WINDOWS"
  
  HKLM\Software\CLASSES\txtfile\
  AlwaysShowExt=""
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\
  OSName="Microsoft Windows"
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
  ScanReg="C:\WINDOWS\WSCRIPT.EXE C:\WINDOWS\SYSTEM\SCANREG.VBS"
  
  

3.0 POSSIBLE STEPS

3.1 Prevention

• DO NOT execute the attachment " LIFE_STAGES.TXT.SHS ". Delete the email including those that are sent to the Trash folder.

• Regularly update the virus definition file of your antivirus software and run a virus scan on the computer. This is to ensure that the software is able to detect the presence of a new virus. The list of known antivirus vendor can be found at http://www.mycert.mimos.my/anti-virus.htm

• For Windows 95/98 users, you should disable "Windows Scripting Host" by following these steps:

  • Go to Start --> Control Panel --> Add/Remove --> Windows Setup --> Accessories

  • Remove the check on "Windows Scripting Host"

3.2 Detection

• Modification to the system as described in 2.2 Installation and Functionality.

• Always run a virus scan on all email attachments and any downloadable files before executing it. It is advisable that your antivirus software is running in "Auto Protect Mode" all the time.

3.3 Removal

3.3.1 Auto Removal

Symantec (www.symantec.com) has developed a free, downloadable tool to repair the damage done by the worm. Please go to http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html

Download the tool to a folder on your hard drive and double-click it to run the tool. Additions instructions are available on the download page.

McAfee has developed a free tool to removes registry entries created by this worm. It can be downloaded at http://download.nai.com/products/Mcafee-Avert/killstag.zip

3.3.2 Manual Removal

What follows are manual removal instructions provided by Symantec. In most cases, we recommend that you download and run the previously mentioned removal tool. If you are not able to do so at this time, or if you prefer to use the manual removal procedure, please follow, in turn, the instructions in each section.

NOTE: Due to the large number of modifications made to the system by the worm, the procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a computer consultant.

Find and delete files
Please follow these steps to locate and remove some of the files that were added by the worm:

1. Click Start, point to Find, and then click Files or Folders.

2. Make sure that Look In is pointing to C:, or All Drives if you have more than one.

3. In the Named box, type *.shs and then click Find Now.

4. In the Results pane, select any .txt.shs files and then press Delete. Click Yes to confirm.

5. Click New Search.

6. In the Named box, type scanreg.vbs vbaset.olb msinfo16.tlb and then click Find Now.

7. In the Results pane, select the files that are found--they should be in the \Windows\System folder--and press then Delete. Click Yes to confirm.

Restore the Registry Editor
The worm moves the Registry Editor to the Recycle Bin and renames it. Please follow these steps to restore it:



NOTES:

• When typing the fourth entry, if you have Windows installed to a location other that C:\Windows. Please make the appropriate substitution when typing the path. If you are using Windows NT, the default path is C:\Winnt.

• If you see the message "File not found," reenter the command to make sure that it was entered correctly. If you still receive the message, go on to the next command.

• If you are prompted to overwrite files, first make sure that you have typed the command correctly and then press Y.

  1. Click Start, point to Programs, and then click MS-DOS Prompt.

  2. Type each of the following commands and press Enter after each one:

     cd\
     cd recycled
     attrib -h -s -r *.*
     copy recycled.vxd c:\windows\regedit.exe
     del recycled.vxd
     del msrcycld.dat
     del rcycldbn.dat
     del dbindex.vbs
     exit
     

Edit the Registry
Follow these steps to undo the changes made to the Windows Registry by the worm:

WARNING:
We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document, How to Back Up the Windows 95/98/NT Registry (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617) before proceeding.

1. Click Start, and click Run. The Run dialog box appears.

2. Type regedit and then click OK. The Registry Editor opens.

3. Navigate to the following key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

4. In the right pane, locate and select the Scanreg value. Press Delete, and then click Yes to confirm.

5. Navigate to the following key:

   HKEY_USERS\.Default\Software\Mirabilis\ICQ\Agent\Apps\ICQ

6. In the right pane, locate and delete the following values:

   Enable
   Parameters
   Path
   StartUp

7. Navigate to and select the following key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OSName

   NOTE: This may not exist on all computers.

8. If it exists, press Delete, and then click Yes to confirm.

9. Navigate to the following key:

   HKEY_LOCAL_MACHINE\Software\Classes\regfile\shell\open\command

10. In the right pane, double-click Default.

11. In the Value data box, delete the current text and then type: regedit.exe

12. Click OK.

13. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Classes\regfile\DefaultIcon

14. In the right pane, double-click Default.

15. In the Value data box, delete the current text and then type: regedit.exe

16. Click OK.

17. Navigate to the following key:

    HKEY_CLASSES_ROOT\regfile\DefaultIcon

18. In the right pane, double-click Default.

19. In the Value data box, delete the current text and then type: regedit.exe

    NOTE: If you have Windows installed to a location other than C:\Windows. please make the appropriate substitution when typing the path.

20. Click OK.

21. Navigate to the following key:

    HKEY_CLASSES_ROOT\regfile\shell\open\command

22. In the right pane, double-click Default.

23. In the Value data box, delete the current text, and then type: regedit.exe

    NOTE: If you have Windows installed to a location other than C:\Windows then please make the appropriate substitution when typing the path.

24. Click OK.

25. Exit the registry Editor.

4.0 MORE INFORMATION

To obtain more information on this virus, please refer to the following site :

4.1 DataFellows
http://europe.datafellows.com/v-descs/stages.htm

4.2 Network Associates
http://vil.nai.com/villib/dispvirus.asp?virus_k=98668

4.3 Symantec Antivirus Research Center
http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html

4.4 Trendmicro
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_STAGES.A