A new computer worm, rated in the same danger category as the 'Love letter' bug, has infested at least five Australian corporations, including a law firm.
The Visual Basic worm, called VBS/Stages, disguises itself as a text file containing a joke about differences between men and women.
The worm was first rated as a medium threat by anti-virus companies, but with increasing spread, has been upgraded by Symantec to a category 4 alert -- the same rating given to the notorious 'Love' and its children. Similarly, this worm has the potential to swap e-mail systems.
Sydney law firm Mallesons Stephen Jaques discovered the worm this morning. "Our internal tech team detected the (worm) this morning and they are in the process of cleaning the mail system to remove it," Mallesons Stephen Jaques spokesman Dale Bryce told ZDNet Australia. "The guys (the IT department) are saying that it will be up and running in a couple of hours."
"A small number of (desktop) machines were infected with the virus," however the "business of the law firm has not been affected," Bryce said.
Anti-virus company Symantec is aware of two unnamed corporate customers afflicted by VBS/Stages today. One company, with 1500 users, had the worm spread throughout systems this morning. Meanwhile Trend Micro has received three confirmed reports of the worm in Australia.
VBS/Stages uses the Windows Scrap file and Microsoft Outlook to spread from inbox to inbox. It also uses Internet Relay Chat programs Pirch and mIRC to spread. The worm uses the file extension .shs, unlike the Love's .vbs hallmark that many corporate e-mail servers now block.
While spawning in Outlook, VBS/Stages changes its name, so it's harder to track. It copies itself to local and network drives and changes Windows settings and the Windows Registry Editor.
Although the worm has not spread as rapidly as Love, the threat is "starting to get a lot bigger," according to Symantec's Australian spokesman David Green. "It could potentially spread quite rapidly. Most corporations have blocked the .vbs extension of the lover letter worm, but won't have blocked this one."
It's a "very good disguise", according to Trend Micro spokesman Andy Liou. "People aren't virus scanning the extension because of its unique message extension. Microsoft software hides the .shs extension."
Four incidents of VBS/Stages had been reported by major US corporations over the weekend. It has also been reported in India and the Philippines.
