LIFE_STAGES.TXT
This worm appears as an attachment titled
LIFE_STAGES.TXT.SHS. Execution of this attachment will open
a text file in Notepad displaying the male and female stages of
life. Whilst the user is reading the text file the script is executing
in the background. This worm spreads itself using Outlook, ICQ,
mIRC and PIRCH. SARC suggests that corporate customers
configure their email filtering systems to filter out or stop all
incoming emails that have attachments with .SHS
extensions.
An SHS file is a Microsoft Scrap Object file. These types of files
are executable and can contain a wide variety of objects. The
scrap object (SHS) extension does not appear in Windows
Explorer even if all file extensions are displayed. Upon executing
this worm, your system is modified in many different ways:
- SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are
dropped into the \WINDOWS\SYSTEM directory.
- The registry key HKLM/Software/Microsoft/Windows/
CurrentVersion/RunServices/ScanReg is added to run the
SCANREG.VBS file upon startup.
- LIFE_STAGES.TXT.SHS is dropped into the \WINDOWS
directory.
- A randomly named file in the format of
Rand1+Rand2+Rand3.txt.shs where Rand1 =
IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN
and Rand2 = - or _ and Rand3 = a random number
between 1 and 1000 is dropped into the root directory of all
mapped drives, into \My Documents and into
\WINDOWS\START MENU\PROGRAMS. For example,
report_439.txt.shs or IMPORTANT-707.TXT.SHS.
- The file regedit.exe is moved into the Recycle Bin as a
hidden system file named RECYCLED.VXD.
- MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS
are dropped into the Recycled Bin as hidden system files.
MSRYCLD.DAT is a copy of the original SHS file.
RCYCLDBN.DAT is a copy of the SCANREG.VBS file.
DBINDEX.VBS is set to be executed when ICQ is run.
- The script for mIRC is modified to call the file
SOUND32B.DLL which causes the worm to spread
through mIRC and PIRCH.
The worm sends an email to addresses listed in your MS Outlook
Address book. The email contains the LIFE_STAGES.TXT.SHS
attachment. The subject of the email is randomly generated and
can be one of twelve strings. It may or may not begin with "Fw:".
It will contain either "Life stages", "Funny" or "Jokes" and may or
may not be followed by "text". Examples would be "Fw: Life
stages", "Jokes text" or "Fw: Funny text". The worm immediately
deletes copies of the emails after they have been sent to insure
there is no record of its presence.
For further information see:
Previous TCS Virus Alerts:
This page has been accessed
times.
Tulsa Computer Society
Don Singleton, President
djs@ionet.net