VBS/Stages is a Visual Basic Script worm. It mass mails itself as an e-mail attachment which has an SHS-extension.
Disinfection & Removal
The e-mails sent by the worm look like this:
From: name-of-the-infected-user To: random-name-from-address-book Subject: (Random subject) Body: (Random body) Attachment: LIFE_STAGES.TXT.SHS
The size of the attachment is always 39936 bytes. The SHS-extension is not visible, even if Windows Explorer properties have been set to show all filename extensions.The worm uses one of the following texts as a subject of the message:
Life Stages Funny Jokes
It might add either "Fw:" or "text" to the beginning or to the end of the subject, respectively.The body of the message is random, too. It may contain the following text:
> The male and female stages of life.
VBS/Stages can spread via mIRC and Pirch chat clients as well. It replaces configuration (".ini") files for these IRC clients to spread itself when the infected user joins a channel.When the file attachment is opened, the worm shows the following text:
- The male stages of life: Age. Seduction lines. 17 My parents are away for the weekend. 25 My girlfriend is away for the weekend. 35 My fiancee is away for the weekend. 48 My wife is away for the weekend. 66 My second wife is dead. Age. Favorite sport. 17 Sex. 25 Sex. 35 Sex. 48 Sex. 66 Napping. Age. Definiton of a successful date. 17 Tongue. 25 Breakfast. 35 She didn't set back my therapy. 48 I didn't have to meet her kids. 66 Got home alive. - The female stages of life: Age. Favourite fantasy. 17 Tall, dark and hansome. 25 Tall, dark and hansome with money. 35 Tall, dark and hansome with money and a brain. 48 A man with hair. 66 A man. Age. Ideal date. 17 He offers to pay. 25 He pays. 35 He cooks breakfast next morning. 48 He cooks breakfast next morning for the kids. 66 He can chew his breakfast.
It copies itself to the Windows directory with the name "LIFE_STAGES.TXT.SHS". Then it creates the following files into the Windows System directory:
MSINFO16.TLB SCANREG.VBS VBASET.OLB
And the following files into the Recycled directory:
DBINDEX.VBS MSRCYCLD.DAT RCYCLDBN.DAT RECYCLED.VXD
The worm creates files with random names. The names are have one of the strings below, followed by a line ("-") or an underline ("_") and a random number between 0 - 999.
IMPORTANT INFO REPORT SECRET UNKNOWN
The file extension is always ".TXT.SHS". For example, the name of the file can be "UNKNOWN-123.TXT.SHS" or "IMPORTANT_432.TXT.SHS". These files are created to the root directory, "My Documents" and "Windows\Start Menu\Programs" directories in every mapped network drive.Furthermore, the worm modifies the association of ".REG" files to point to the copy of "REGEDIT.EXE" that it has created to the Recycled directory as "RECYCLED.VXD". The original "REGEDIT.EXE" is deleted from the Windows directory.VBS/Stages.A makes modifications to the Windows registry. It adds the following key, so it will be executed when the system is restarted:
In addition, it changes Windows configuration in such a way that the extension of ".TXT" files is always displayed - regardless of the Windows Explorer configuration.This worm was found in early June, 2000. It started to spread globally later during the same month.Manual disinfection can be done by following the steps below. Note that these instructions assume that you have Windows installed to "C:\Windows". If you have Windows installed to any other location, please change the path.
- Delete the following files from the Windows system directory MSINFO16.TLB, SCANREG.VBS and VBASET.OLB - Delete the following files from the Recycled directory DBINDEX.VBS, MSRCYCLD.DAT, RCYCLDBN.DAT - Unhide and move "RECYCLED.VXD" to the Windows directory and rename it as "REGEDIT.EXE". This can be done from the command prompt with the following commands: attrib -h -s -r c:\recycled\recycled.vxd move c:\recycled\recycled.vxd c:\windows\regedit.exe - Restore the association of .reg files by changing the registry: HKEY_CLASSES_ROOT\regfile\DefaultIcon\(Default) = "C:\Windows\regedit.exe,1" HKEY_CLASSES_ROOT\regfile\shell\open\command = "regedit.exe %1" - Remove the autostart registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg
Make sure F-Secure Anti-Virus is configured to scan files with the SHS extension, otherwise this virus might be missed. This setting has been set as default in FSAV since late 1999.
Technical Details: Katrin Tocheva, Mikko Hypponen and Sami Rautiainen, F-Secure