Stages
 
Profile

Virus Name
IRC/Stages.worm

Aliases
I-Worm.Scrapworm
IRC/Stages.ini
LIFE_STAGES.TXT.SHS
ShellScrap Worm
VBS/LifeStages
VBS/Stages.14558
VBS/Stages.2542
VBS/Stages.worm
VBS_STAGES

Variants
None

Description Added
5/30/00

Virus Information
 
 Discovery Date:5/26/00
 Origin:MAPI & IRC
 Length:39,936
 Type:Virus
 SubType:WinScript
 Risk Assessment:Medium
 Minimum Engine:4.0.50
 Minimum Dat:4082
 DAT Release Date:6/14/00

Virus Characteristics
*Update - June 18,2000:
AVERT has received samples from customers which indicates this Internet worm is now in the wild.

This is a multi-application Internet worm which is designed with intent to spread using one of four spreading mechanisms. This worm takes advantage of installations of Pirch, Outlook, mIRC, and also spreads to available mapped drives.

This Internet worm was first announced on the author's website and has not been seen at a customer site as of this description posting.

This worm may arrive by email in the following format:

Subject: Funny
Body: > The male and female stages of life.
Attachment: LIFE_STAGES.TXT.SHS

The attachment is 39,936 bytes and is a Shell Scrap Object file. These files are the most unpredictable file type of all, since they can be anything from an authentic file to a trojan application. In this case, the file cannot be trusted.

An interesting feature of SHS files is that the extension remains hidden, even though the operating system is set to show file extensions. This helps to confuse the user into believing the file is really of .TXT file type. Double-clicking on the file will install this Internet worm in an interesting manner.

This SHS worm does contain content which is displayed while it installs itself to the local host. The following text file is shown:

---------copy of displayed text--------
- The male stages of life:

Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.

Age. Favorite sport.
17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.

Age. Definiton of a successful date.
17 Tongue.
25 Breakfast.
35 She didn't set back my therapy.
48 I didn't have to meet her kids.
66 Got home alive.

- The female stages of life:

Age. Favourite fantasy.
17 Tall, dark and hansome.
25 Tall, dark and hansome with money.
35 Tall, dark and hansome with money and a brain.
48 A man with hair.
66 A man.

Age. Ideal date.
17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.
---------copy of displayed text--------

One significance of this exploitation of SHS files is that it raises awareness to the fact that the extension is not shown, even if a system is configured to "show all files" and "show extensions of known file types".

This is due to a registry entry for Shell Scrap file types:

HKEY_CLASSES_ROOT\ShellScrap
"NeverShowExt"="0"

Users can change this by renaming the entry above from "NeverShowExt" to "AlwaysShowExt". Users can even delete the entry. Once it is modified, user must log off and log back into Windows for the change to take effect.

Symptoms
Existence of the files mentioned below. Email propagation as mentioned below. IRC channel propagation as mentioned below. Deletion of the file REGEDIT.EXE. Creation of files in the recycle bin as mentioned below.

*Due to the creation of files in the Recycle Bin by this worm, it will be necessary to remove Recycle Bin listing from the exclusion list in VirusScan. Also SCAN ALL files.*

If the Recycle Bin is emptied, the file REGEDIT (RECYCLED.VXD) will be removed (see below for file creations by this Internet worm). Obtain a copy of REGEDIT.EXE from a non-infected system and place in the Windows folder. Additional registry settings will require adjusting.

Method Of Infection
If the file "LIFE_STAGES.TXT.SHS" is run, the following will occur on the local system:

* moves REGEDIT.EXE from the Windows folder to the recycle bin as "RECYCLED.VXD", modifies registry to use this relocated file when importing or using registry type files

* creates files of random names throughout the local system and all available drives; fixed names include the following:
c:\WINDOWS\[machine name].acl
c:\WINDOWS\SYSTEM\MSINFO16.TLB
c:\WINDOWS\SYSTEM\SCANREG.VBS
c:\WINDOWS\SYSTEM\VBASET.OLB
c:\RECYCLED\DBINDEX.VBS
c:\RECYCLED\MSRCYCLD.DAT
c:\RECYCLED\RCYCLDBN.DAT
c:\RECYCLED\RECYCLED.VXD (really REGEDIT.EXE)

The following are examples of random names generated:
c:\report.txt.shs
c:\My Documents\IMPORTANT.TXT.SHS
c:\WINDOWS\LIFE_STAGES.TXT.SHS
c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs
In the creation of random named SHS files, this worm uses the following algorithm to determine a name:

([Random1]+[Random2]+[Random3])+TXT+SHS.

Random1 is a selection of one of five choices:
"IMPORTANT"
"INFO"
"REPORT"
"SECRET"
"UNKNOWN"

Random2 is a selection of one of two choices:
"-"
"_"

Random3 is a randomly generated number between 0 and 999.
The combination of these three randomizations results in 10,000 possible different names.

* modifies the registry to run SCANREG.VBS at Windows startup

* modifies the registry to run DBINDEX.VBS when loading ICQ

* modifies the registry to run RECYCLED.VXD when calls are made to run REGEDIT type files

* modifies MIRC.INI to load an auxiliary script file for PIRCH/mIRC installations

* creates SOUND32B.DLL whenever Windows restarts in the Windows folder via SCANREG.VBS; SOUND32B.DLL is an auxiliary script file called by MIRC.INI; SOUND32B.DLL contains instructions to send the file LIFE_STAGES.TXT.SHS when connecting to IRC channels

* modifies the following registry settings (to recover, modify these to original "from" settings):

HKLM\Software\CLASSES\regfile\DefaultIcon
Value "@":
from "C:\WINDOWS\regedit.exe,1"
to "C:\RECYCLED\RECYCLED.VXD,1"

HKLM\Software\CLASSES\regfile\shell\open\command
Value "@":
from "regedit.exe "%1""
to "C:\RECYCLED\RECYCLED.VXD "%1""

* creates the following registry settings (to recover, delete these keys):

HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Parameters="C:\RECYCLED\DBINDEX.VBS"

HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Path="C:\WINDOWS\WSCRIPT.EXE"

HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Startup="C:\WINDOWS"

HKLM\Software\CLASSES\txtfile\
AlwaysShowExt=""

HKLM\Software\Microsoft\Windows\CurrentVersion\
OSName="Microsoft Windows"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
ScanReg="C:\WINDOWS\WSCRIPT.EXE C:\WINDOWS\SYSTEM\SCANREG.VBS"

--------Special Notes-----------
One significance of this exploitation of SHS files is that it raises awareness to the fact that the extension is not shown, even if a system is configured to "show all files" and "show extensions of known file types".

This is due to a registry entry for Shell Scrap file types:

HKEY_CLASSES_ROOT\ShellScrap
"NeverShowExt"="0"

Users can change this by renaming the entry above from "NeverShowExt" to "AlwaysShowExt". Users can even delete the entry. Once it is modified, user must log off and log back into Windows for the change to take effect.

Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.

Note1- Microsoft has released an update for Outlook as an email attachment security update. For a list of attachments blocked and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.

Note2- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCANPM C: /CLEAN /ALL"