 
| Subject: | |
| From: | |
| Reply To: | St. John's University Cerebral Palsy List |
| Date: | Tue, 20 Jun 2000 17:08:52 -0400 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Guys,
This is from our IT Network God!!
Trisha
Here is the information on the current virus that has been
spotted. There are people I know who have contracted it already.
Please do not open any foreign attactchments unless you are absolutely
sure you are receiving an expected, and safe piece of mail. these
messages will be coming from people you know so please be aware of this
fact. The following is the information sheet on the virus. Please read
this.
If you think you have already been infected Please contact
Edward
Thankyou
Stages.A (also known as VBS.Stages.A and VBS/ShellScrap)
VBS.Stages.A is the first known worm to utilize the SHS filetype (scrap
file) to transfer its code. Most parts of suspicious strings have been
encrypted using techniques already seen in the VBS.Zulu family.
The worm's code is contained in the file "LIFE_STAGES.TXT.SHS". If this
file does not exist in the windows startup directory, the worm will
create the file "LIFE_STAGES.TXT" containing the following text:
- The male stages of life:
Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.
Age. Favorite sport.
17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.
Age. Definiton of a successful date.
17 Tongue.
25 Breakfast.
35 She didn't set back my therapy.
48 I didn't have to meet her kids.
66 Got home alive.
- The female stages of life:
Age. Favourite fantasy.
17 Tall, dark and hansome.
25 Tall, dark and hansome with money.
35 Tall, dark and hansome with money and a brain.
48 A man with hair.
66 A man.
Age. Ideal date.
17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.
If the file containing the worm does not exist in the startup directory,
the worm tries to find the file on the local harddrive and copy it to
various locations to ensure its survival. The worm also creates the file
"scanreg.vbs", which contains reactivation code. The worm updates the
registry so that the "scanreg.vbs" file is started on every system
reboot.
Next, the worm tries to modify parameters from a local ICQ client and
the modifies the registry information to confuse the user when looking
at ".SHS" type files. When the worm is activated, the default icon for
".SHS" files will be the same as for ".txt" files and the extension
".SHS" will be not shown.
To stop recovery attempts, the worm also tries to rename or move the
file "regedit.exe" (the registry editor), so that the "runservice"
registry key modification cannot be deactivated. The new filename for
the registry editor is "recycled.vxd".
The worm then tries to copy itself on all mapped network drives in the
startup folder of windows. This feature will only be activated when the
file (mentioned earlier) was not found in the local startup directory.
Depending on the value of the registry key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OSName"
the worm will also try to utilize Microsoft Outlook to send itself to
addresses in the Address Book. The worm uses variable subjects to make
its detection harder.
Possible subjects are:
"Fw: Life Stages"
"Fw: Funny"
"Fw: Jokes"
"Fw: Life Stages text"
"Fw: Funny text"
"Fw: Jokes text"
"Life Stages"
"Funny"
"Jokes"
"Life Stages text"
"Funny text"
"Jokes text"
Also, the body text contains random elements. After the e-mail messages
have been sent, the worm makes sure that the messages do not appear in
the "Sent Items" folder. It also modifies the registry key mentioned
earlier so that the messages will be sent only once.
Cleaning:
For the cleaning instructions to be effective, you will need to
configure your antivirus program settings as follows:
For memory resident protection (for Windows 95 and 98 users), you will
need the "Scan All Files" option under Options | Resident/Real-time
Protection... | File Monitoring enabled. Under Windows NT4 and Windows
2000 this is option is not available as the feature is enabled by
default. Ensure that the memory resident protection is checking files on
closing. This option is available under Options | Resident/Real-time
Protection... | File Monitoring | Closing Files.
If all of the above options were enabled and you already had virus
signature update 387 installed on your machine before you ran the
"LIFE_STAGES.TXT.SHS" file, your antivirus software will warn you about
the virus, but will not prevent .VBS files from being dropped to your
hard drive. You will need to run an "On Demand" scan to check all the
files on your hard drive; files with .VBS extensions that have been
dropped onto your system will be detected and deleted.
If your system is already infected you will need to update your virus
signatures with update 387 or higher and ensure that the options
recommended above are enabled. Windows 95 and 98 users will have to
reboot their machines for memory resident protection to be updated. Scan
all the files on your hard drive. Your antivirus software will detect
and delete all the .VBS files that are dropped by the virus.
The virus would have tried to rename REGEDIT.EXE to RECYCLED.VXD and
move it to the C:\RECYCLED directory. In some cases it will fail and
REGEDIT.EXE will be deleted. As a consequence you will not be able to
clean the registry. Obtain a copy of REGEDIT.EXE from a non-infected
system and place in the Windows folder.
Alternatively, you can click here <reg/vbsstagesa.inf> to download an
.inf file to clean up the registry. Save the file to your desktop and
then right-click on the file and choose Install to run the file.
We also have a cleaning tool to fix the registry automatically so there
is no need to run regedit.exe. See the main page of our FAQ section on
this site.
|
|
|
