-----Original Message-----
From: Steve Bass [mailto:[log in to unmask]]
Sent: Saturday, June 24, 2000 10:30 AM
To: [log in to unmask]
Subject: [pibmug] A new nasty virus that even WE can't see!
From Steve Gibson
Believe it or not, EVEN IF we have Windows set to show file extensions --
as we all probably do -- Windows STILL won't show an
extension of ".shs", which is some thing called a "Shell Scrap Object".
As a test you can easily do what I did: Create a text file with notepad
that says "this is just a test" then save it with the name "test.txt.shs"
and all you'll see is "test.txt"!!! -- thus causing the ".shs" file to
appear to be a simple (and safe) text file.
Anyway ... since a "Shell Scrap Object" is a scriptable thing, there's a
NEW fast propagating virus making the rounds of Outlook users, and although
we Eudora users can't be used to propagate the nasty thing, our computer
*WILL* still execute the virus!!!
Basically, this means that it's no longer even safe for us to open anything
which APPEARS to be a text file attachment!
MY INSTANT CURE:
Since I could care less about whatever-the-xxxx a "Shell Scrap Object" is
or does, I simply renamed the thing it's associated with (which handles
these things for Windows, thus giving them life) to prevent inadvertent
execution of ANY Shell Scrap Objects. Poetically, the file is named
"shscrap.dll" located in the system directory, which I simply renamed to
"shscrap.dll.xxx" to take it out of service.
Boy, Windows has really become a sewer.
-------------------------------------------------------------------
Here's some stuff specific to THIS current virus:
-------------------------------------------------------------------
//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\
CUPERTINO, Calif. - June 19, 2000 - Symantec Corporation (Nasdaq:
SYMC), a leader in Internet security technology, today announced
detection for VBS.Stages.A, a new and fast-spreading polymorphic
computer worm. Symantec's Anti-Virus Research Lab gives this worm a
Category 4 rating, as it has potential to be difficult to contain,
and cause severe damage. This worm appears as a .TXT file attachment
titled LIFE_STAGES.TXT.SHS. that disguises an .SHS file. An .SHS file
is a Microsoft Scrap Object file which are executable files that can
contain a wide variety of objects. The scrap object (SHS) extension
does not appear in Windows Explorer even if all file extensions are
displayed.
When executed, the attachment will open a text file in the Notepad
that describes the male and female stages of life. While the user is
reading the text file, the script executes in the background, moving
the REGEDIT.EXE file to the recycle bin as a hidden system file named
RECYCLED.VXD. - resulting in modification of the SYSTEM REGISTRY and
REGEDIT.EXE files that cause system instability.
VBS.Stages.A spreads itself like VBS.LOVELETTER.A, sending mail to a
users' entire MS Outlook address book with a randomly generated
subject line, which can overload mail servers. Additionally, the
worm spreads itself via ICQ, mIRC and PIRCH and copies itself to
mapped drives. The subject line may be one of 12 combinations and in
some cases begins with "FW." The subject line will contain either
"Life stages," "Funny" or "Jokes" or several combinations of these.
This worm immediately deletes copies of the sent emails to ensure
there is no record of its presence. Symantec recommends that computer
users do not attempt to open the attached document, and protect
themselves by using Norton AntiVirus For Gateways to filter out all
incoming emails that have attachments with .SHS extensions. New
definition sets are now available to detect VBS.Stages.A and Norton
AntiVirus users can download them through Symantec's LiveUpdate
feature, or from the Symantec Web site at
www.symantec.com/avcenter/download.html.
Brands and products referenced herein are the trademarks or
registered trademarks of their respective holders. All prices noted
are in US dollars and are valid only in the United States.
//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\
Note that simply updating your virus patterns WON'T prevent the next
abuse of Shell Scrap Objects. I'd recommend that you use my solution
to neuter this entire vulnerability.
_______________________________________
This E-letter may be reproduced for non-commercial use, either in part or in
its entirety, provided the following is included:
* This message is brought to you by the Pasadena IBM Users Group, an
announcement-only mail list. Replies go to Steve Bass.
* To unsubscribe: mailto:[log in to unmask]
* To subscribe: mailto:[log in to unmask]
Copyright 2000 by Steve Bass, reprinted with permission.
PCSOFT maintains many useful files for download
visit our download web page at:
http://nospin.com/pc/files.html
|