FRISK Software International

Virus Info > Virus Threats > Stages.A


Summary of VBS/Stages.A
Alias:Life_Stages Worm, I-Worm.Scrapworm, IRC/Stages.worm
Infection Method:Infected e-mail attachments
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
VBS/Stages is a Visual Basic Script worm. It mass mails itself as an e-mail attachment which has an SHS-extension.


Technical Description
The e-mails sent by the worm look like this: 

    From: name-of-the-infected-user
    To: random-name-from-address-book
    Subject: (Random subject)
    Body: (Random body)
    Attachment: LIFE_STAGES.TXT.SHS
The size of the attachment is always 39936 bytes. The SHS-extension is not visible, even if Windows Explorer properties have been set to show all filename extensions.

The worm uses one of the following texts as a subject of the message: 

    Life Stages
    Funny
    Jokes
It might add either "Fw:" or "text" to the beginning or to the end of the subject, respectively.

The body of the message is random, too. It may contain the following text: 

    > The male and female stages of life.
VBS/Stages can spread via mIRC and Pirch chat clients as well. It replaces configuration (".ini") files for these IRC clients to spread itself when the infected user joins a channel.

When the file attachment is opened, the worm shows the following text: 

    - The male stages of life:


    Age. Seduction lines.
    17   My parents are away for the weekend.
    25   My girlfriend is away for the weekend.
    35   My fiancee is away for the weekend.
    48   My wife is away for the weekend.
    66   My second wife is dead.


    Age. Favorite sport.
    17   Sex.
    25   Sex.
    35   Sex.
    48   Sex.
    66   Napping.


    Age. Definiton of a successful date.
    17   Tongue.
    25   Breakfast.
    35   She didn't set back my therapy.
    48   I didn't have to meet her kids.
    66   Got home alive.


    - The female stages of life:


    Age. Favourite fantasy.
    17   Tall, dark and hansome.
    25   Tall, dark and hansome with money.
    35   Tall, dark and hansome with money and a brain.
    48   A man with hair.
    66   A man.


    Age. Ideal date.
    17   He offers to pay.
    25   He pays.
    35   He cooks breakfast next morning.
    48   He cooks breakfast next morning for the kids.
    66   He can chew his breakfast.
It copies itself to the Windows directory with the name "LIFE_STAGES.TXT.SHS". Then it creates the following files into the Windows System directory: 

    MSINFO16.TLB
    SCANREG.VBS
    VBASET.OLB
And the following files into the Recycled directory: 

    DBINDEX.VBS
    MSRCYCLD.DAT
    RCYCLDBN.DAT
    RECYCLED.VXD
The worm creates files with random names. The names are have one of the strings below, followed by a line ("-") or an underline ("_") and a random number between 0 - 999. 

    IMPORTANT
    INFO
    REPORT
    SECRET
    UNKNOWN
The file extension is always ".TXT.SHS". For example, the name of the file can be "UNKNOWN-123.TXT.SHS" or "IMPORTANT_432.TXT.SHS". These files are created to the root directory, "My Documents" and "Windows\Start Menu\Programs" directories in every mapped network drive.

Furthermore, the worm modifies the association of ".REG" files to point to the copy of "REGEDIT.EXE" that it has created to the Recycled directory as "RECYCLED.VXD". The original "REGEDIT.EXE" is deleted from the Windows directory.

VBS/Stages.A makes modifications to the Windows registry. It adds the following key, so it will be executed when the system is restarted: 

   HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg
In addition, it changes Windows configuration in such a way that the extension of ".TXT" files is always displayed - regardless of the Windows Explorer configuration.

This worm was found in early June, 2000. It started to spread globally later during the same month.


Removal Instructions
Manual disinfection can be done by following the steps below. Note that these instructions assume that you have Windows installed to "C:\Windows". If you have Windows installed to any other location, please change the path. - Delete the following files from the Windows system directory MSINFO16.TLB, SCANREG.VBS and VBASET.OLB - Delete the following files from the Recycled directory DBINDEX.VBS, MSRCYCLD.DAT, RCYCLDBN.DAT - Unhide and move "RECYCLED.VXD" to the Windows directory and rename it as "REGEDIT.EXE". This can be done from the command prompt with the following commands: attrib -h -s -r c:\recycled\recycled.vxd move c:\recycled\recycled.vxd c:\windows\regedit.exe - Restore the association of .reg files by changing the registry: HKEY_CLASSES_ROOT\regfile\DefaultIcon\(Default) = "C:\Windows\regedit.exe,1" HKEY_CLASSES_ROOT\regfile\shell\open\command = "regedit.exe %1" - Remove the autostart registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg

[Analysis: Katrin Tocheva, Mikko Hypponen and Sami Rautiainen, F-Secure]
 
Virus Info by Platform

Virus Info by Letter:

F-PROT Antivirus Alerts
Stay up to date with important developments via e-mail.
more...
Life cyle policy
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
more...
RSS News Feeds
Virus news and information directly to your desktop.
more...
Glossary of Terms
Definitions of common antivirus terminology.
more...
More Virus Info
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)