/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsLife_Stages worm aka IRC/Stages.worm is a new Trojan that appears as a
LIFE_STAGES.TXT.SHS attachment. Open it and you see a text file about the male
and female stages of life. But meanwhile, there's a script running in the
background. The virus spreads through Outlook, ICQ, mIRC and PIRCH. An SHS file
is a Microsoft Scrap Object file that is executable and can contain a variety of
objects. The .SHS extension remains hidden in Windows even if all file
extensions are displayed.
The worm modifies your system and adds SCANREG.VBS, VBASET.OLB AND
MSINFO16.TLB in the \WINDOWS\SYSTEM folder. The registry key HKLM/Software/Microsoft/
Windows/CurrentVersion/RunServices/ScanReg is added to run SCANREG.VBS on
startup. And LIFE_STAGES.TXT.SHS is created into the \WINDOWS folder. A randomly
named file in the format of Rand1+Rand2+Rand3.txt.shs where Rand1 = IMPORTANT,
INFO, REPORT, SECRET, or UNKNOWN and Rand2 = - or _ and Rand3 = a random number
between 1 and 1000 is created into the root folder of all mapped drives, in \My
Documents and in \WINDOWS\START MENU\PROGRAMS.
The worm also prevents registry editing by moving REGEDIT.EXE into the
Recycle Bin as a hidden system file RECYCLED.VXD. In addition, MSRCYCLD.DAT,
RCYCLDBN.DAT and DBINDEX.VBS are created in the Recycled Bin as hidden system
files. MSRYCLD.DAT is a copy of the original SHS file. RCYCLDBN.DAT is a copy of
the SCANREG.VBS file. DBINDEX.VBS is set to be executed when ICQ is run.
Other modifications include a script for mIRC that calls SOUND32B.DLL. This
helps spread the worm using mIRC and PIRCH. The worm also sends an infected
email to contacts in your Outlook Address book. The subject is randomly
generated, can be one of 12 strings and may or may not begin with "Fw:".
The worm immediately deletes copies of emails sent to ensure there is no record
of its presence.
To remove the worm from your system you need to delete all .txt.shs. In
addition, also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the
\WINDOWS\SYSTEM folder. To restore the Registry, open a command prompt window
and change to the \RECYCLED folder. Use ATTRIB to modify settings of files
created by the worm. The command would be "attrib-hsr recycled.vxd"
(without the quotes), etc. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then
delete 4 modified files.
Using REGEDIT modify the registry as follows -- delete HKLM/Software/Microsoft/
Windows/RunServices/Scanreg, delete values Enable, Parameters, Path and StartUp
in HKEY_USERS/Default/Software/Mirabilis/ICQ/Agent/Apps/ICQ, delete value HKLM/Software/Microsoft/Windows/CurrentVersion/OSName.
And modify value for HKCR/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD
with C:\WINDOWS\REGEDIT.EXE. Now modify the value for HKCR/regfile/shell/open/command
by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE. Do the same
for HKLM/Software/CLASSES/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD
with C:\WINDOWS\REGEDIT.EXE. Finally, modify value for HKLM/Software/CLASSES/regfile/DefaultIcon
by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
And don't forget to visit your anti-virus vendor's site to get the latest
update. Better very safe than very sorry.