Discovered: June 16, 2000
Updated: February 13, 2007 11:59:32 AM
Also Known As: Bloodhound.VBS.Worm, IRC/Stages.worm [McAfee], VBS/Stages.gen@MM [McAfee], Life_Stages Worm, I-Worm.Scrapworm [Kaspersky], VBS_STAGES.A [Trend], VBS/Stages-A [Sophos], VBS.Stages [Computer Associate
Type: Worm
Systems Affected: Windows


Due to a decrease in submissions, this worm has been downgraded to a threat level 2 as of December 7, 2000.

This worm appears as an attachment named Life_stages.txt.shs. When you run the attachment it opens a text file in Notepad. The text file describes the male and female stages of life. While you are reading the text file, a script is running in the background. This worm spreads itself using Outlook, ICQ, mIRC, and PIRCH.

NOTE: An .shs file is a Microsoft Scrap Object file. These types of files are executable and can contain a wide variety of objects. The scrap object (.shs) extension does not appear in Windows Explorer even if all file extensions are displayed.

SARC suggests that corporate customers configure their email filtering systems to filter out or stop all incoming emails that have attachments with .shs extensions.


Antivirus Protection Dates

  • Initial Rapid Release version June 16, 2000
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version June 16, 2000
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date June 16, 2000

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Brian Ewell

Discovered: June 16, 2000
Updated: February 13, 2007 11:59:32 AM
Also Known As: Bloodhound.VBS.Worm, IRC/Stages.worm [McAfee], VBS/Stages.gen@MM [McAfee], Life_Stages Worm, I-Worm.Scrapworm [Kaspersky], VBS_STAGES.A [Trend], VBS/Stages-A [Sophos], VBS.Stages [Computer Associate
Type: Worm
Systems Affected: Windows


The worm sends an email to addresses listed in your Microsoft Outlook address book. The email contains the LIFE_STAGES.TXT.SHS attachment.
The subject of the email is randomly generated and can be one of twelve strings. In some, but not all cases, the subject begins with "Fw:" It will, in any case, contain one of the following:

  • Life stages
  • Funny
  • Jokes

In some cases, this is followed by the word "text." The following are examples of possible subject headings:
  • Fw: Life stages
  • Jokes text
  • Fw: Funny text

As soon as they are sent, the worm deletes copies of the messages so that there is no record of its presence.

Upon executing this worm, your system is modified as follows:
  • The following files are created in the Windows\System folder:
    • Scanreg.vbs
    • Vbaset.olb
    • Msinfo16.tlb
  • The Scanreg.vbs value is added to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    This will run the next time the computer is started.
  • The Life_Stages.txt.shs file is created in the \Windows folder.
  • A randomly named file is added to the following locations:
    • The root directory of all mapped drives
    • The \My Documents folder.
    • The \Windows\Start Menu\Programs folder.
    This randomly named file is created using the format Random 1+ Random 2 + Random 3.txt.shs where:
    • Random 1= Important, Info, Report, Secret, or Unknown
    • Random 2 = - or _ (hyphen or underscore)
    • Random 3 = a random number between 1 and 1000

      For example, Report_439.txt.shs or Important-707.txt.shs.
  • The Regedit.exe file is moved into the Recycle Bin as a hidden system file named Recycled.vxd.
  • The following files are added to the Recycle Bin as hidden system files:
    • Msrcycld.dat
    • Rcycldbn.dat
    • Dbindex.vbs
      Msrycld.dat is a copy of the original .shs file. Rcycldbn.dat is a copy of the Scanreg.vbs file. Dbindex.vbs is set to be run when ICQ is run. The script for mIRC is modified to call the Sound32b.dll file, which causes the worm to spread through mIRC and PIRCH.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Brian Ewell

Discovered: June 16, 2000
Updated: February 13, 2007 11:59:32 AM
Also Known As: Bloodhound.VBS.Worm, IRC/Stages.worm [McAfee], VBS/Stages.gen@MM [McAfee], Life_Stages Worm, I-Worm.Scrapworm [Kaspersky], VBS_STAGES.A [Trend], VBS/Stages-A [Sophos], VBS.Stages [Computer Associate
Type: Worm
Systems Affected: Windows


SARC has developed a free, downloadable tool to repair the damage done by the worm. Please go to:

http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html

Download the tool to a folder on your hard disk and then double-click it to run the tool. Additional instructions are available on the download page.

What follows are instructions for manually removing the worm. In most cases we recommend that you download and run the previously mentioned removal tool. If you are not able to do so at this time, or if you prefer to use the manual removal procedure, please follow, in turn, the instructions in each section.

NOTE: Due to the large number of modifications made to the system by the worm, the procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

Find and delete files
Please follow these steps to locate and remove some of the files that were added by the worm:

  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that Look In is pointing to C:, or All Drives if you have more than one.
  3. In the Named box, type *.shs and then click Find Now.
  4. In the Results pane, select any .txt.shs files and then press Delete. Click Yes to confirm.
  5. Click New Search.
  6. In the Named box, type scanreg.vbs vbaset.olb msinfo16.tlb and click Find Now.
  7. In the Results pane, select the displayed files--they should be in the \Windows\System folder--and press Delete. Click Yes to confirm.

Restore the Registry Editor
The worm moves the Registry Editor to the Recycle Bin and renames it. Please follow these steps to restore it:

NOTES:
  • When typing the fourth entry, if Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path. If you are running Windows NT, the default path is C:\Winnt.
  • If you see the message "File not found," re-enter the command to make sure that it was entered correctly. If you still receive the message, go on to the next command.
  • If you are prompted to overwrite files, first make sure that you have typed the command correctly and then press Y.
  1. Click Start, point to Programs, and click MS-DOS Prompt.
  2. Type each of the following commands, and press Enter after each one:

    cd\
    cd recycled
    attrib -h -s -r *.*
    copy recycled.vxd c:\windows\regedit.exe
    del recycled.vxd
    del msrcycld.dat
    del rcycldbn.dat
    del dbindex.vbs
    exit

Edit the registry
Follow these steps to undo the changes made to the Windows registry by the worm:

CAUTION: We strongly recommend that you back up the Windows registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to Back Up the Windows Registry before proceeding.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and click OK. The Registry Editor opens.
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  4. In the right pane, locate and select the Scanreg value. Press Delete, and then click Yes to confirm.
  5. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OSName

    NOTE: This key may not exist on all computers.
  6. If it exists, press Delete, and then click Yes to confirm.
  7. Navigate to the following key:

    HKEY_USERS\.Default\Software\Mirabilis\ICQ\Agent\Apps\ICQ
  8. In the right pane, locate and delete the following values:

    Enable
    Parameters
    Path
    StartUp
  9. Navigate to the following key:

    HKEY_CLASSES_ROOT\regfile\DefaultIcon
  10. In the right pane, double-click Default.
  11. In the Value data box, delete the current text and then type regedit.exe

    NOTE: If Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path.
  12. Click OK.
  13. Navigate to the following key:

    HKEY_CLASSES_ROOT\regfile\shell\open\command
  14. In the right pane, double-click Default.
  15. In the Value data box, delete the current text, and then type regedit.exe

    NOTE: If Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path.
  16. Click OK.
  17. Exit the Registry Editor.


Writeup By: Brian Ewell