This worm uses a little-known Windows Scrap Object (SHS) extension to deliver its payload via your Outlook e-mail or chat tools.
This worm appears as an attachment titled LIFE_STAGES.TXT.SHS. Execution of this attachment will open a text file in Notepad displaying the male and female stages of life. While the user is reading the text file the script is executing in the background. This worm spreads itself using Outlook, ICQ, mIRC and PIRCH. SARC suggests that corporate customers configure their email filtering systems to filter out or stop all incoming emails that have attachments with .SHS extensions.
Also known as: IRC/Stages.worm, Life_Stages Worm
Category: Worm
Infection length: 39,936 bytes
Virus definitions: Certified definitions pending.
Wild
- Number of infections: 0-49
- Number of sites: 0-2
- Geographical distribution: Low
- Threat containment: Easy
- Removal: Difficult
Damage
- Payload trigger: Execution of the LIFE_STAGES.TXT.SHS attachment
- Payload: Large sale e-mailing: Sends mail to entire MS Outlook address book
- Modifies files: System registry, Regedit.exe
- Causes system instability: Could overload mail servers
Distribution
- Subject of e-mail: There are 12 possibilities for the subject of the email
- Name of attachment: LIFE_STAGES.TXT.SHS
- Shared drives: Copies itself to mapped drives
Technical Description
An SHS file is a Microsoft Scrap Object file. These types of files are executable and can contain a wide variety of objects. The scrap object (SHS) extension does not appear in Windows Explorer even if all file extensions are displayed.
Upon executing this worm, your system is modified in many different ways:
- SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are created in the \WINDOWS\SYSTEM directory.
- The registry key HKLM/Software/Microsoft/ Windows/CurrentVersion/RunServices/ScanReg is added to run the SCANREG.VBS file upon startup.
- LIFE_STAGES.TXT.SHS is created into the \WINDOWS directory.
- A randomly named file in the format of Rand1+Rand2+Rand3.txt.shs where Rand1 = IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN and Rand2 = - or _ and Rand3 = a random number between 1 and 1000 is created into the root directory of all mapped drives, into \My Documents and into \WINDOWS\START MENU\PROGRAMS. For example, report_439.txt.shs or IMPORTANT-707.TXT.SHS.
- The file regedit.exe is moved into the Recycle Bin as a hidden system file named RECYCLED.VXD.
-
MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS are created into the Recycled Bin as hidden system files. MSRYCLD.DAT is a copy of the original SHS file. RCYCLDBN.DAT is a copy of the SCANREG.VBS file. DBINDEX.VBS is set to be executed when ICQ is run.
- The script for mIRC is modified to call the file SOUND32B.DLL which causes the worm to spread through mIRC and PIRCH.
The worm sends an email to addresses listed in your MS Outlook Address book. The email contains the LIFE_STAGES.TXT.SHS attachment. The subject of the email is randomly generated and can be one of twelve strings. It may or may not begin with "Fw:". It will contain either "Life stages", "Funny" or "Jokes" and may or may not be followed by "text". Examples would be "Fw: Life stages", "Jokes text" or "Fw: Funny text". The worm immediately deletes copies of the emails after they have been sent to insure there is no record of its presence.
How To Remove The Stages Worm
You must delete all .txt.shs files from your system. Also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory. You will need to restore the registry using regedit. To do this, first open a command prompt and change to the \RECYCLED directory. Using the attrib command, modify the settings of the files which the worm creates there. The command would be attrib -hsr recycled.vxd and so on for each of these files. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then delete the 4 files you modified.
Using regedit make the following modifications to the registry:
- Delete the value HKLM/Software/Microsoft/ Windows/RunServices/Scanreg.
- Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/ Mirabilis/ICQ/Agent/Apps/ICQ.
- Delete the value HKLM/Software/Microsoft/ Windows/CurrentVersion/OSName.
-
Modify the value for HKCR/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
- Modify the value for HKCR/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
- Modify the value for HKLM/Software/CLASSES/regfile/ shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
- Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
