AntiVirus Research Center

"The Sun Never Sets on SARC"


SARC Home Page

June 2000 Newsletter


Top Threats



The following is a list of the topreported viruses, trojans and worms to SARC's regional offices during the last month.

Asia Pacific








New Virus Hoaxes reported to Symantec

Virus Business

Welcome to June's newsletter, already we are half way through the year and it's safe to say that VBS has become popular for virus and worm authors. I suppose it's a logical step across from Visual Basic in an MS Office environment to VBScript in MS Outlook and Outlook Express.

The VBS.Timofonica worm was interesting, not a real threat, more a potential annoyance for mobile phone users and was mistakenly reported as being able to infect mobile phones.

As the newsletter is going out VBS.Stages.A is spreading, mainly in the USA and Europe so now is a good time to update your virus definitions.

David Banes

Note: VBS.Stages.A Category 4 Virus Alert

Viruses in the News

Moderate [3]


        W97M.Stand is a MS Word macro virus with a variable payload. Under the right conditions it tries to delete all of the files from your C, D and E drives using the deltree command.

Repair the infected files with Norton AntiVirus. Delete kill.bat, autoexec.kil and stand.log from C:\ if they exist. Remove the strings that were added to C:\Autoexec.bat.
by: Gor Nazaryan

Severe [4]


        W97M.Melissa.BG is a Word 97 macro virus that has a payload of deleting necessary system files. It also sends itself out through e-mail using Microsoft Outlook. The subject of the e-mail is "Resume - Janet Simons".

Although NAV can repair the inserted files, you can safely delete C:\Data\ and
C:\WINDOWS\Start Menu\Programs\StartUp\Explorer.doc.
by: Douglas Knowles
Worms in the News

Moderate [4]



VBS.Stages.A. This worm appears as an attachment titled LIFE_STAGES.TXT.SHS. Execution of this attachment will open a text file in Notepad displaying the male and female stages of life. While the user is reading the text file the script is executing in the background. This worm spreads itself using Outlook, ICQ, mIRC and PIRCH. SARC suggests that corporate customers configure their email filtering systems to filter out or stop all incoming emails that have attachments with .SHS extensions.

You must delete all .txt.shs files from your system. Also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory. You will need to restore the registry using regedit. To do this, first open a command prompt and change to the \RECYCLED directory. Using the attrib command, modify the settings of the files which the worm creates there. The command would be attrib -hsr recycled.vxd and so on for each of these files. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then delete the 4 files you modified.

Using regedit make the following modifications to the registry:

  • Delete the value HKLM/Software/Microsoft/Windows/RunServices/Scanreg.
  • Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/Mirabilis/ICQ/Agent/Apps/ICQ.
  • Delete the value HKLM/Software/Microsoft/Windows/CurrentVersion/OSName.
  • Modify the value for HKCR/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
  • Modify the value for HKCR/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
  • Modify the value for HKLM/Software/CLASSES/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
  • Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
by: Brian Ewell


Low [2]



VBS.Timofonica This is a Visual BASIC Script worm which was detected by Norton AntiVirus as VBS.NewLove.A, we subsequently updated the virus definitions to name it correctly. The worm replicates by mailing itself using MS Outlook and attempts to send messages to the MovieStar service.

You must complete the following steps to manually remove this worm from your system:

  • Search your system for files named TIMOFONICA.TXT and delete them. The default locations for these files is C:\.
  • Search your system for the file CMOS.COM and delete it. This file should be in your \WINDOWS\SYSTEM directory.
  • Using regedit make the following modifications to the registry:
  1. Delete the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Cmos
  2. Delete the key HKCU\Software\Microsoft\Windows\CurrentVersion\Timofonica
  3. Set the value of the key HKLM\Software\Classes\VBSFile\Shell\Open\Command to C:\WINDOWS\WScript.exe "%1" %*. For clarity, the characters are double-quote, percent sign, numeral one, double-quote, space, percent sign, asterisk.
  • Within Outlook, enable the option to save copies of messages into the Sent folder.
by: Brian Ewell

 Trojans in the News

Moderate [3]



PWSteal.Trojan is a trojan which attempts to steal login names and passwords. These passwords are often sent to an anonymous email address. This trojan is still one of the most commonly reported password stealing threats we see.

If your computer is infected with the PWSteal.Trojan (also known as MINE, AOL.Trojan, AOL.PWSteal, and, it may exhibit one or more of the following symptoms:

  • When you log on to AOL, you are prompted for your password twice.
  • The logon process takes much longer than expected.
  • If your speakers are turned on, you hear the announcement "Download Succeeded".
  • Email is sent to everyone in your Buddylist over and over again while you are online and everyone in your address book is emailed when you log off. The email contains a .zip file attachment that may be named Hey,, or (where xx represents a number).
  • You can no longer run Sysedit or Notepad to view your system configuration files.
  • Windows will not shut down, or appears to stop responding during shut down

To remove this trojan following the following link to our service and support web site;

Microsoft Patch Available for "Office 2000 UA Control" Vulnerability
          The following information is a synopsis of the information published in the Microsoft Security Bulletin MS00-034, which is available on the Microsoft TechNet web site at:

Symantec recommends that users read this bulletin carefully and download and install the appropriate patch.

Microsoft has released a patch that eliminates a vulnerability in Microsoft(r) Office 2000 and Office 2000 family products. This vulnerability might allow a malicious web site developer to cause inappropriate action to occur on the computer of a user who visited his web site.

For more information see:

Microsoft Security Bulletin MS00-034
Frequently Asked Questions: Microsoft Security Bulletin MS00-034
Microsoft Knowledge Base (KB) article Q262767 discusses this issue and will be available soon.
by: Patrick Martin

SARC Glossary, what's the definition of a virus, trojan and worm?

          Correspondence by email to:, no unsubscribe or support emails please.
Send virus samples to:
Newsletter Archive:
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at:
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.


          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-2000 Symantec Corporation. All rights reserved.