Virus Profile: IRC/Stages.worm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/26/2000
Date Added: 5/30/2000
Origin: MAPI & IRC
Length: 39,936
Type: Virus
Subtype: VBScript worm
DAT Required: 4082
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of the files mentioned below. Email propagation as mentioned below. IRC channel propagation as mentioned below. Deletion of the file REGEDIT.EXE. Creation of files in the recycle bin as mentioned below.

*Due to the creation of files in the Recycle Bin by this worm, it will be necessary to remove Recycle Bin listing from the exclusion list in VirusScan. Also SCAN ALL files.*

If the Recycle Bin is emptied, the file REGEDIT (RECYCLED.VXD) will be removed (see below for file creations by this Internet worm). Obtain a copy of REGEDIT.EXE from a non-infected system and place in the Windows folder. Additional registry settings will require adjusting.

Methods of Infection

If the file "LIFE_STAGES.TXT.SHS" is run, the following will occur on the local system:

* extracts "LIFE_STAGES.TXT.VBS" and runs from the temp folder

* sends itself via MAPI email to a random number of recipients with one of the following email combinations:

Subject: [P1]+[P2]+[P3]
Body: > The male and female stages of life.
Attachment: LIFE_STAGES.TXT.SHS

In the above, the subject line is variable, but limited to 12 possible combinations. P1, P2 & P3 are chosen from the respective lists below:

P1 -» "FW: ", ""
P2 -» "Life stages", "Funny", "Jokes"
P3 -» " text", ""

Examples:
Subject = "Funny"
Subject = "FW: Jokes text"
Subject = "Life stages"

The recipients are "blind carbon copied" or "bcc".

* moves REGEDIT.EXE from the Windows folder to the recycle bin as "RECYCLED.VXD", modifies registry to use this relocated file when importing or using registry type files

* creates files of random names throughout the local system and all available drives; fixed names include the following:

c:\WINDOWS\SYSTEM\MSINFO16.TLB
c:\WINDOWS\SYSTEM\SCANREG.VBS
c:\WINDOWS\SYSTEM\VBASET.OLB
c:\RECYCLED\DBINDEX.VBS
c:\RECYCLED\MSRCYCLD.DAT
c:\RECYCLED\RCYCLDBN.DAT
c:\RECYCLED\RECYCLED.VXD (really REGEDIT.EXE)

The following are examples of random names generated:
c:\report.txt.shs
c:\My Documents\IMPORTANT.TXT.SHS
c:\WINDOWS\LIFE_STAGES.TXT.SHS
c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs

In the creation of random named SHS files, this worm uses the following algorithm to determine a name:

([Random1]+[Random2]+[Random3])+TXT+SHS.

Random1 is a selection of one of five choices:
"IMPORTANT"
"INFO"
"REPORT"
"SECRET"
"UNKNOWN"

Random2 is a selection of one of two choices:
"-"
"_"

Random3 is a randomly generated number between 0 and 999.

The combination of these three randomizations results in 10,000 possible different names.

* modifies the registry to run SCANREG.VBS at Windows startup

* modifies the registry to run DBINDEX.VBS when loading ICQ

* modifies the registry to run RECYCLED.VXD when calls are made to run REGEDIT type files

* modifies MIRC.INI to load an auxiliary script file for PIRCH/mIRC installations

* creates SOUND32B.DLL whenever Windows restarts in the Windows folder via SCANREG.VBS; SOUND32B.DLL is an auxiliary script file called by MIRC.INI; SOUND32B.DLL contains instructions to send the file LIFE_STAGES.TXT.SHS when connecting to IRC channels

* modifies the following registry settings (to recover, modify these to original "from" settings):

HKLM\Software\CLASSES\regfile\DefaultIcon
Value "@":
from "C:\WINDOWS\regedit.exe,1"
to "C:\RECYCLED\RECYCLED.VXD,1"

HKLM\Software\CLASSES\regfile\shell\open\command
Value "@":
from "regedit.exe "%1""
to "C:\RECYCLED\RECYCLED.VXD "%1""

* creates the following registry settings (to recover, delete these keys):

HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Parameters="C:\RECYCLED\DBINDEX.VBS"

HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Path="C:\WINDOWS\WSCRIPT.EXE"

HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Startup="C:\WINDOWS"

HKLM\Software\CLASSES\txtfile\
AlwaysShowExt=""

HKLM\Software\Microsoft\Windows\CurrentVersion\
OSName="Microsoft Windows"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
ScanReg="C:\WINDOWS\WSCRIPT.EXE C:\WINDOWS\SYSTEM\SCANREG.VBS"

--------Special Notes-----------
One significance of this exploitation of SHS files is that it raises awareness to the fact that the extension is not shown, even if a system is configured to "show all files" and "show extensions of known file types".

This is due to a registry entry for Shell Scrap file types:

HKEY_CLASSES_ROOT\ShellScrap
"NeverShowExt"="0"

Users can correct this by either deleting the entry named "NeverShowExt" or rename it to "AlwaysShowExt". If renaming the entry, user must log off and log back into Windows for the change to take effect.

Aliases

I-Worm.Scrapworm, IRC/Stages.ini, LIFE_STAGES.TXT.SHS, ShellScrap Worm, Stages of Life, VBS/LifeStages, VBS/Stages.14559, VBS/Stages.2543, VBS/Stages.27356, VBS/Stages.worm, VBS_STAGES
   

Virus Characteristics

*Update - June 28,2000:
Detection/removal for the component identified as "VBS/Stages.27356" has been added to 4084 .DAT.

*Update - June 19,2000:
AVERT has raised the ARA for this Internet worm from LOW to HIGH based on the number of samples received. We recommend ensuring that .SHS file extensions are included in all scanning programs.

This is a multi-application Internet worm which is designed with intent to spread using one of four spreading mechanisms. This worm takes advantage of installations of Pirch, Outlook, mIRC, and also spreads to available mapped drives.

This Internet worm was first announced on the author's website and has not been seen at a customer site as of this description posting.

This worm may arrive by email in the following format:

Subject: [P1]+[P2]+[P3]
Body: > The male and female stages of life.
Attachment: LIFE_STAGES.TXT.SHS

In the above, the subject line is variable, but limited to 12 possible combinations. P1, P2 & P3 are chosen from the respective lists below:

P1 -» "FW: ", ""
P2 -» "Life stages", "Funny", "Jokes"
P3 -» " text", ""

Examples:
Subject = "Funny"
Subject = "FW: Jokes text"
Subject = "Life stages"

The recipients are "blind carbon copied" or "bcc".

The attachment is 39,936 bytes and is a Shell Scrap Object file. These files are the most unpredictable file type of all, since they can be anything from an authentic file to a trojan application. In this case, the file cannot be trusted.

An interesting feature of SHS files is that the extension remains hidden, even though the operating system is set to show file extensions. This helps to confuse the user into believing the file is really of .TXT file type. Double-clicking on the file will install this Internet worm in an interesting manner.

This SHS worm does contain content which is displayed while it installs itself to the local host. The following text file is shown:

---------copy of displayed text--------
- The male stages of life:

Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.

Age. Favorite sport.
17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.

Age. Definiton of a successful date.
17 Tongue.
25 Breakfast.
35 She didn't set back my therapy.
48 I didn't have to meet her kids.
66 Got home alive.

- The female stages of life:

Age. Favourite fantasy.
17 Tall, dark and hansome.
25 Tall, dark and hansome with money.
35 Tall, dark and hansome with money and a brain.
48 A man with hair.
66 A man.

Age. Ideal date.
17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.
---------copy of displayed text--------

One significance of this exploitation of SHS files is that it raises awareness to the fact that the extension is not shown, even if a system is configured to "show all files" and "show extensions of known file types".

This is due to a registry entry for Shell Scrap file types:

HKEY_CLASSES_ROOT\ShellScrap
"NeverShowExt"="0"

Users can correct this by either deleting the entry named "NeverShowExt" or rename it to "AlwaysShowExt". If renaming the entry, user must log off and log back into Windows for the change to take effect.

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.