Classification

Category :

Malware

Type :

Worm

Aliases :

Stages, I-Worm.Scrapworm, IRC/Stages.worm, Life_Stages Worm

Summary

VBS/Stages is a Visual Basic Script worm. It mass mails itself as an email attachment which has an SHS-extension.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The emails sent by the worm look like this:

From: name-of-the-infected-user

 To: random-name-from-address-book

 Subject: (Random subject)

 Body: (Random body)

 Attachment: LIFE_STAGES.TXT.SHS

The size of the attachment is always 39936 bytes. The SHS-extension is not visible, even if Windows Explorer properties have been set to show all filename extensions.The worm uses one of the following texts as a subject of the message:

Life Stages

 Funny

 Jokes

It might add either "Fw:" or "text" to the beginning or to the end of the subject, respectively.The body of the message is random, too. It may contain the following text:

> The male and female stages of life.

VBS/Stages can spread via mIRC and Pirch chat clients as well. It replaces configuration (".ini") files for these IRC clients to spread itself when the infected user joins a channel.When the file attachment is opened, the worm shows the following text:

- The male stages of life:

 Age. Seduction lines.

 17
 My parents are away for the weekend.

 25
 My girlfriend is away for the weekend.

 35
 My fiancee is away for the weekend.

 48
 My wife is away for the weekend.

 66
 My second wife is dead.

 Age. Favorite sport.

 17
 Sex.

 25
 Sex.

 35
 Sex.

 48
 Sex.

 66
 Napping.

 Age. Definiton of a successful date.

 17
 Tongue.

 25
 Breakfast.

 35
 She didn't set back my therapy.

 48
 I didn't have to meet her kids.

 66
 Got home alive.

 - The female stages of life:

 Age. Favourite fantasy.

 17
 Tall, dark and hansome.

 25
 Tall, dark and hansome with money.

 35
 Tall, dark and hansome with money and a brain.

 48
 A man with hair.

 66
 A man.

 Age. Ideal date.

 17
 He offers to pay.

 25
 He pays.

 35
 He cooks breakfast next morning.

 48
 He cooks breakfast next morning for the kids.

 66
 He can chew his breakfast.

It copies itself to the Windows directory with the name "LIFE_STAGES.TXT.SHS". Then it creates the following files into the Windows System directory:

MSINFO16.TLB

 SCANREG.VBS

 VBASET.OLB

And the following files into the Recycled directory:

DBINDEX.VBS

 MSRCYCLD.DAT

 RCYCLDBN.DAT

 RECYCLED.VXD

The worm creates files with random names. The names are have one of the strings below, followed by a line ("-") or an underline ("_") and a random number between 0 - 999.

IMPORTANT

 INFO

 REPORT

 SECRET

 UNKNOWN

The file extension is always ".TXT.SHS". For example, the name of the file can be "UNKNOWN-123.TXT.SHS" or "IMPORTANT_432.TXT.SHS". These files are created to the root directory, "My Documents" and "Windows\Start Menu\Programs" directories in every mapped network drive.Furthermore, the worm modifies the association of ".REG" files to point to the copy of "REGEDIT.EXE" that it has created to the Recycled directory as "RECYCLED.VXD". The original "REGEDIT.EXE" is deleted from the Windows directory.VBS/Stages.A makes modifications to the Windows registry. It adds the following key, so it will be executed when the system is restarted:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg

In addition, it changes Windows configuration in such a way that the extension of ".TXT" files is always displayed - regardless of the Windows Explorer configuration.This worm was found in early June, 2000. It started to spread globally later during the same month.Manual disinfection can be done by following the steps below. Note that these instructions assume that you have Windows installed to "C:\Windows". If you have Windows installed to any other location, please change the path.

- Delete the following files from the Windows system directory
 MSINFO16.TLB, SCANREG.VBS and VBASET.OLB

 - Delete the following files from the Recycled directory
 DBINDEX.VBS, MSRCYCLD.DAT, RCYCLDBN.DAT

 - Unhide and move "RECYCLED.VXD" to the Windows directory and rename it as "REGEDIT.EXE". This can be done from the command prompt with the following commands:
 attrib -h -s -r c:\recycled\recycled.vxd
 move c:\recycled\recycled.vxd c:\windows\regedit.exe

 - Restore the association of .reg files by changing the registry:
 HKEY_CLASSES_ROOT\regfile\DefaultIcon\(Default) = "C:\Windows\regedit.exe,1"
 HKEY_CLASSES_ROOT\regfile\shell\open\command = "regedit.exe %1"

 - Remove the autostart registry entry
 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg

Make sure F-Secure Anti-Virus is configured to scan files with the SHS extension, otherwise this virus might be missed. This setting has been set as default in FSAV since late 1999.