VBS.Stages.A

SUMMARY

Due to a decrease in submissions, this worm has been downgraded to a threat level 2 as of December 7, 2000.

This worm appears as an attachment named Life_stages.txt.shs. When you run the attachment it opens a text file in Notepad. The text file describes the male and female stages of life. While you are reading the text file, a script is running in the background. This worm spreads itself using Outlook, ICQ, mIRC, and PIRCH.

NOTE: An .shs file is a Microsoft Scrap Object file. These types of files are executable and can contain a wide variety of objects. The scrap object (.shs) extension does not appear in Windows Explorer even if all file extensions are displayed.

SARC suggests that corporate customers configure their email filtering systems to filter out or stop all incoming emails that have attachments with .shs extensions.

Protection

• Virus Definitions (LiveUpdate™ Weekly) June 16, 2000
• Virus Definitions (Intelligent Updater) June 16, 2000

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 50 - 999
• Number of Sites: More than 10
• Geographical Distribution: High
• Threat Containment: Easy
• Removal: Difficult

Damage

• Damage Level: Medium
• Payload Trigger: Execution of the LIFE_STAGES.TXT.SHS attachment
• Large Scale E-mailing: Sends mail to as many as 100 randomly selected addresses from the MS Outlook address book
• Modifies Files: System registry, Regedit.exe, Mirc.ini
• Causes System Instability: Could overload mail servers

Distribution

• Distribution Level: High
• Subject of Email: There are 12 possibilities for the subject of the email
• Name of Attachment: LIFE_STAGES.TXT.SHS
• Size of Attachment: 39,936 bytes
• Shared Drives: Copies itself to mapped drives

TECHNICAL DETAILS

The worm sends an email to addresses listed in your Microsoft Outlook address book. The email contains the LIFE_STAGES.TXT.SHS attachment.
The subject of the email is randomly generated and can be one of twelve strings. In some, but not all cases, the subject begins with "Fw:" It will, in any case, contain one of the following:

• Life stages
• Funny
• Jokes

In some cases, this is followed by the word "text." The following are examples of possible subject headings:

• Fw: Life stages
• Jokes text
• Fw: Funny text

As soon as they are sent, the worm deletes copies of the messages so that there is no record of its presence.

Upon executing this worm, your system is modified as follows:

• The following files are created in the WindowsSystem folder:
  • Scanreg.vbs
  • Vbaset.olb
  • Msinfo16.tlb
• The Scanreg.vbs value is added to the following registry key:
  
  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
  
  This will run the next time the computer is started.
• The Life_Stages.txt.shs file is created in the Windows folder.
• A randomly named file is added to the following locations:
  • The root directory of all mapped drives
  • The My Documents folder.
  • The WindowsStart MenuPrograms folder.
    
  This randomly named file is created using the format Random 1+ Random 2 + Random 3.txt.shs where:
  • Random 1= Important, Info, Report, Secret, or Unknown
  • Random 2 = - or _ (hyphen or underscore)
  • Random 3 = a random number between 1 and 1000
    
    For example, Report_439.txt.shs or Important-707.txt.shs.
    
• The Regedit.exe file is moved into the Recycle Bin as a hidden system file named Recycled.vxd.
• The following files are added to the Recycle Bin as hidden system files:
  • Msrcycld.dat
  • Rcycldbn.dat
  • Dbindex.vbs
  Msrycld.dat is a copy of the original .shs file. Rcycldbn.dat is a copy of the Scanreg.vbs file. Dbindex.vbs is set to be run when ICQ is run. The script for mIRC is modified to call the Sound32b.dll file, which causes the worm to spread through mIRC and PIRCH.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

SARC has developed a free, downloadable tool to repair the damage done by the worm. Please go to:

http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html

Download the tool to a folder on your hard disk and then double-click it to run the tool. Additional instructions are available on the download page.

What follows are instructions for manually removing the worm. In most cases we recommend that you download and run the previously mentioned removal tool. If you are not able to do so at this time, or if you prefer to use the manual removal procedure, please follow, in turn, the instructions in each section.

NOTE: Due to the large number of modifications made to the system by the worm, the procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

Find and delete files
Please follow these steps to locate and remove some of the files that were added by the worm:

1. Click Start, point to Find, and click Files or Folders.
2. Make sure that Look In is pointing to C:, or All Drives if you have more than one.
3. In the Named box, type *.shs and then click Find Now.
4. In the Results pane, select any .txt.shs files and then press Delete. Click Yes to confirm.
5. Click New Search.
6. In the Named box, type scanreg.vbs vbaset.olb msinfo16.tlb and click Find Now.
7. In the Results pane, select the displayed files--they should be in the WindowsSystem folder--and press Delete. Click Yes to confirm.

Restore the Registry Editor
The worm moves the Registry Editor to the Recycle Bin and renames it. Please follow these steps to restore it:

NOTES:

• When typing the fourth entry, if Windows is installed in a location other than C:Windows, make the appropriate substitution when typing the path. If you are running Windows NT, the default path is C:Winnt.
• If you see the message "File not found," re-enter the command to make sure that it was entered correctly. If you still receive the message, go on to the next command.
• If you are prompted to overwrite files, first make sure that you have typed the command correctly and then press Y.
  

1. Click Start, point to Programs, and click MS-DOS Prompt.
2. Type each of the following commands, and press Enter after each one:
   
   cd
   cd recycled
   attrib -h -s -r *.*
   copy recycled.vxd c:windowsegedit.exe
   del recycled.vxd
   del msrcycld.dat
   del rcycldbn.dat
   del dbindex.vbs
   exit

Edit the registry
Follow these steps to undo the changes made to the Windows registry by the worm:

CAUTION: We strongly recommend that you back up the Windows registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to Back Up the Windows Registry before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
   
4. In the right pane, locate and select the Scanreg value. Press Delete, and then click Yes to confirm.
5. Navigate to and select the following key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionOSName
   
   NOTE: This key may not exist on all computers.
   
6. If it exists, press Delete, and then click Yes to confirm.
7. Navigate to the following key:
   
   HKEY_USERS.DefaultSoftwareMirabilisICQAgentAppsICQ
   
8. In the right pane, locate and delete the following values:
   
   Enable
   Parameters
   Path
   StartUp
   
9. Navigate to the following key:
   
   HKEY_CLASSES_ROOTegfileDefaultIcon
   
10. In the right pane, double-click Default.
11. In the Value data box, delete the current text and then type regedit.exe
    
    NOTE: If Windows is installed in a location other than C:Windows, make the appropriate substitution when typing the path.
    
12. Click OK.
13. Navigate to the following key:
    
    HKEY_CLASSES_ROOTegfileshellopencommand
    
14. In the right pane, double-click Default.
15. In the Value data box, delete the current text, and then type regedit.exe
    
    NOTE: If Windows is installed in a location other than C:Windows, make the appropriate substitution when typing the path.
    
16. Click OK.
17. Exit the Registry Editor.