F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Stages





NAME:Stages
ALIAS:I-Worm.Scrapworm, IRC/Stages.worm
ALIAS:Life_Stages Worm

VBS/Stages is a Visual Basic Script worm. It mass mails itself as an e-mail attachment which has an SHS-extension.

The e-mails sent by the worm look like this: 

    From: name-of-the-infected-user
    To: random-name-from-address-book
    Subject: (Random subject)
    Body: (Random body)
    Attachment: LIFE_STAGES.TXT.SHS

The size of the attachment is always 39936 bytes. The SHS-extension is not visible, even if Windows Explorer properties have been set to show all filename extensions.

The worm uses one of the following texts as a subject of the message: 

    Life Stages
    Funny
    Jokes

It might add either "Fw:" or "text" to the beginning or to the end of the subject, respectively.

The body of the message is random, too. It may contain the following text: 

    > The male and female stages of life.

VBS/Stages can spread via mIRC and Pirch chat clients as well. It replaces configuration (".ini") files for these IRC clients to spread itself when the infected user joins a channel.

When the file attachment is opened, the worm shows the following text: 

    - The male stages of life:


    Age. Seduction lines.
    17   My parents are away for the weekend.
    25   My girlfriend is away for the weekend.
    35   My fiancee is away for the weekend.
    48   My wife is away for the weekend.
    66   My second wife is dead.


    Age. Favorite sport.
    17   Sex.
    25   Sex.
    35   Sex.
    48   Sex.
    66   Napping.


    Age. Definiton of a successful date.
    17   Tongue.
    25   Breakfast.
    35   She didn't set back my therapy.
    48   I didn't have to meet her kids.
    66   Got home alive.


    - The female stages of life:


    Age. Favourite fantasy.
    17   Tall, dark and hansome.
    25   Tall, dark and hansome with money.
    35   Tall, dark and hansome with money and a brain.
    48   A man with hair.
    66   A man.


    Age. Ideal date.
    17   He offers to pay.
    25   He pays.
    35   He cooks breakfast next morning.
    48   He cooks breakfast next morning for the kids.
    66   He can chew his breakfast.

It copies itself to the Windows directory with the name "LIFE_STAGES.TXT.SHS". Then it creates the following files into the Windows System directory: 

    MSINFO16.TLB
    SCANREG.VBS
    VBASET.OLB

And the following files into the Recycled directory: 

    DBINDEX.VBS
    MSRCYCLD.DAT
    RCYCLDBN.DAT
    RECYCLED.VXD

The worm creates files with random names. The names are have one of the strings below, followed by a line ("-") or an underline ("_") and a random number between 0 - 999. 

    IMPORTANT
    INFO
    REPORT
    SECRET
    UNKNOWN

The file extension is always ".TXT.SHS". For example, the name of the file can be "UNKNOWN-123.TXT.SHS" or "IMPORTANT_432.TXT.SHS". These files are created to the root directory, "My Documents" and "Windows\Start Menu\Programs" directories in every mapped network drive.

Furthermore, the worm modifies the association of ".REG" files to point to the copy of "REGEDIT.EXE" that it has created to the Recycled directory as "RECYCLED.VXD". The original "REGEDIT.EXE" is deleted from the Windows directory.

VBS/Stages.A makes modifications to the Windows registry. It adds the following key, so it will be executed when the system is restarted: 

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg

In addition, it changes Windows configuration in such a way that the extension of ".TXT" files is always displayed - regardless of the Windows Explorer configuration.

This worm was found in early June, 2000. It started to spread globally later during the same month.

Manual disinfection can be done by following the steps below. Note that these instructions assume that you have Windows installed to "C:\Windows". If you have Windows installed to any other location, please change the path. 

    - Delete the following files from the Windows system directory
        MSINFO16.TLB, SCANREG.VBS and VBASET.OLB


    - Delete the following files from the Recycled directory
        DBINDEX.VBS, MSRCYCLD.DAT, RCYCLDBN.DAT


    - Unhide and move "RECYCLED.VXD" to the Windows directory and
      rename it as "REGEDIT.EXE". This can be done from the
      command prompt with the following commands:


        attrib -h -s -r c:\recycled\recycled.vxd
        move c:\recycled\recycled.vxd c:\windows\regedit.exe


    - Restore the association of .reg files by changing the registry:


        HKEY_CLASSES_ROOT\regfile\DefaultIcon\(Default) = "C:\Windows\regedit.exe,1"
        HKEY_CLASSES_ROOT\regfile\shell\open\command = "regedit.exe %1"


    - Remove the autostart registry entry


        HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg

Make sure F-Secure Anti-Virus is configured to scan files with the SHS extension, otherwise this virus might be missed. This setting has been set as default in FSAV since late 1999.

[Analysis: Katrin Tocheva, Mikko Hypponen and Sami Rautiainen, F-Secure]