Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


VBS/STAGES WORM REPORTED IN IRC CHANNELS

Virus Name  : VBS/Stages

Alias             : I-Worm/Scrap, VBS.Stages

Virus type    : SHS, VBScript worm

Threat level : Low

Virus details :

                     VBS/Stages is a multi application Windows worm uses Microsoft outlook, mIRC, Pirch and mapped drives to spread. Because of the mass mailing routine it downs many e-mail servers.

                     The email message subject will be the mixture of "FW: ", "Life stages", "Funny", "Jokes", or "text". It uses a random number generator to get the mixture subject line. The message body will be " > The male and female stages of life". The attachment name will be "LIFE_STAGES.TXT.SHS" and the size will be 39,936 bytes.

                      The attachment is a shellScrap Object file, .SHS extension won't visible to the user. It blinds the user to open the attachment as a normal text file. While opening the e-mail attachment, will display the following text using notepad.

--------------- BEGIN TEXT ---------------

- The male stages of life:

Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.

Age. Favorite sport.
17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.

Age. Definiton of a successful date.
17 Tongue.
25 Breakfast.
35 She didn't set back my therapy.
48 I didn't have to meet her kids.
66 Got home alive.


- The female stages of life:

Age. Favourite fantasy.
17 Tall, dark and hansome.
25 Tall, dark and hansome with money.
35 Tall, dark and hansome with money and a brain.
48 A man with hair.
66 A man.

Age. Ideal date.
17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.

--------------- END TEXT ---------------

                     The worm will copy its code in the all mapped drives with random names and with the following fixed file names

c:\WINDOWS\SYSTEM\SCANREG.VBS
c:\WINDOWS\SYSTEM\VBASET.OLB
c:\WINDOWS\SYSTEM\MSINFO16.TLB
c:\RECYCLED\DBINDEX.VBS
c:\RECYCLED\MSRCYCLD.DAT
c:\RECYCLED\RCYCLDBN.DAT
c:\RECYCLED\RECYCLED.VXD - Original REGEDIT.EXE

                     Then it will do registry modifications to load it automatically when the system is restarted. It also changes the ICQ, mIRC, Pirch settings. The mass mailer routine will e-mail the worm to all addresses stored in Microsoft Outlook. Before removing the worm, the following registry modifications should be done.

Delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
ScanReg="C:\WINDOWS\WSCRIPT.EXE C:\WINDOWS\SYSTEM\SCANREG.VBS"

If ICQ is installed in your system, you should delete the following too.

HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Parameters="C:\RECYCLED\DBINDEX.VBS"

HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Path="C:\WINDOWS\WSCRIPT.EXE"

HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Startup="C:\WINDOWS"

Copy REGEDIT.VXD from RECYCLED folder to C:\WINDOWS\REGEDIT.EXE. Then change the registry keys shown below.

HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\DefaultIcon
Value "@"="C:\WINDOWS\regedit.exe,1"

HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
Value "@"="regedit.exe "%1""

How can I protect my system?

                   Solo has incorporated Stages worm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove VBS/Stages safely. Use the following link to Download 30 day trial version of Solo antivirus [1670 KB] to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link