||||
Symantec.com > Security Response > Threats and Risks > VBS.Stages.A
PRINT THIS PAGE

VBS.Stages.A - Removal

Risk Level 2: Low

Download Removal Tool | Printer Friendly Page

Discovered: June 16, 2000
Updated: February 13, 2007 11:59:32 AM
Also Known As: Bloodhound.VBS.Worm, IRC/Stages.worm [McAfee], VBS/Stages.gen@MM [McAfee], Life_Stages Worm, I-Worm.Scrapworm [Kaspersky], VBS_STAGES.A [Trend], VBS/Stages-A [Sophos], VBS.Stages [Computer Associate
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


SARC has developed a free, downloadable tool to repair the damage done by the worm. Please go to:

http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html

Download the tool to a folder on your hard disk and then double-click it to run the tool. Additional instructions are available on the download page.

What follows are instructions for manually removing the worm. In most cases we recommend that you download and run the previously mentioned removal tool. If you are not able to do so at this time, or if you prefer to use the manual removal procedure, please follow, in turn, the instructions in each section.

NOTE: Due to the large number of modifications made to the system by the worm, the procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

Find and delete files
Please follow these steps to locate and remove some of the files that were added by the worm:
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that Look In is pointing to C:, or All Drives if you have more than one.
  3. In the Named box, type *.shs and then click Find Now.
  4. In the Results pane, select any .txt.shs files and then press Delete. Click Yes to confirm.
  5. Click New Search.
  6. In the Named box, type scanreg.vbs vbaset.olb msinfo16.tlb and click Find Now.
  7. In the Results pane, select the displayed files--they should be in the \Windows\System folder--and press Delete. Click Yes to confirm.

Restore the Registry Editor
The worm moves the Registry Editor to the Recycle Bin and renames it. Please follow these steps to restore it:

NOTES:
  • When typing the fourth entry, if Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path. If you are running Windows NT, the default path is C:\Winnt.
  • If you see the message "File not found," re-enter the command to make sure that it was entered correctly. If you still receive the message, go on to the next command.
  • If you are prompted to overwrite files, first make sure that you have typed the command correctly and then press Y.
  1. Click Start, point to Programs, and click MS-DOS Prompt.
  2. Type each of the following commands, and press Enter after each one:

    cd\
    cd recycled
    attrib -h -s -r *.*
    copy recycled.vxd c:\windows\regedit.exe
    del recycled.vxd
    del msrcycld.dat
    del rcycldbn.dat
    del dbindex.vbs
    exit

Edit the registry
Follow these steps to undo the changes made to the Windows registry by the worm:

CAUTION: We strongly recommend that you back up the Windows registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to Back Up the Windows Registry before proceeding.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and click OK. The Registry Editor opens.
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  4. In the right pane, locate and select the Scanreg value. Press Delete, and then click Yes to confirm.
  5. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OSName

    NOTE: This key may not exist on all computers.
  6. If it exists, press Delete, and then click Yes to confirm.
  7. Navigate to the following key:

    HKEY_USERS\.Default\Software\Mirabilis\ICQ\Agent\Apps\ICQ
  8. In the right pane, locate and delete the following values:

    Enable
    Parameters
    Path
    StartUp
  9. Navigate to the following key:

    HKEY_CLASSES_ROOT\regfile\DefaultIcon
  10. In the right pane, double-click Default.
  11. In the Value data box, delete the current text and then type regedit.exe

    NOTE: If Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path.
  12. Click OK.
  13. Navigate to the following key:

    HKEY_CLASSES_ROOT\regfile\shell\open\command
  14. In the right pane, double-click Default.
  15. In the Value data box, delete the current text, and then type regedit.exe

    NOTE: If Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path.
  16. Click OK.
  17. Exit the Registry Editor.


Writeup By: Brian Ewell
Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS