Another Love Letter clone has started doing the rounds in SA, but the VBS.Stages worm has a little twist. The attachment looks very similar to a text file, lulling users into a false sense of security.
According to Symantec's anti-virus research centre (SARC), the virus appears as an attachment LIFE_STAGES.TXT.SHS. Running the attachment opens a text file describing the male and female stages of life in Notepad, while in the background the virus infects your machine. The virus spreads itself with Outlook, ICQ, mIRC and PIRCH.
The SHS file format is a Microsoft Scrap Object file, which are executable and can contain a variety of objects. The icon conveniently looks similar to that of a text file. The subject line is polymorphic, and is randomly generated from one of 12 strings. A "Funny", "Life stages", or "Jokes" subject line all can be appended with "text", while the "FW:" is also variable.
According to a report from SecureData, distributor of anti-virus software Trend Micro, four incidents of the virus had been reported by major US corporations on both the east and west coasts by late Friday afternoon. Over the weekend, additional customer sites in India, Australia and the US reported infections. For this reason, the risk assessment was increased from medium to high on Sunday. The virus has the potential to spread very rapidly via Outlook e-mail and overwhelm e-mail servers.
If you have been infected, follow these steps to clean it off your machine (care of SARC):
Delete all .txt.shs files from your system. Also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory. You will need to restore the registry using regedit. To do this, first open a command prompt and change to the \RECYCLED directory. Using the attrib command, modify the settings of the files that the worm creates there. The command would be attrib -hsr recycled.vxd and so on for each of these files. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then delete the four files you modified.
Using regedit make the following modifications to the registry:
Delete the value HKLM/Software/Microsoft/Windows/RunServices/Scanreg.
Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/Mirabilis/ICQ/Agent/Apps/ICQ.
Delete the value HKLM/Software/Microsoft/Windows/CurrentVersion/OSName.
Modify the value for HKCR/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
Modify the value for HKCR/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
Modify the value for HKLM/Software/CLASSES/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
Share
