The worm sends an email to addresses listed in your Microsoft Outlook address book. The email contains the LIFE_STAGES.TXT.SHS attachment.
The subject of the email is randomly generated and can be one of twelve strings. In some, but not all cases, the subject begins with "Fw:" It will, in any case, contain one of the following:
In some cases, this is followed by the word "text." The following are examples of possible subject headings:
- Fw: Life stages
- Jokes text
- Fw: Funny text
As soon as they are sent, the worm deletes copies of the messages so that there is no record of its presence.
Upon executing this worm, your system is modified as follows:
- The following files are created in the Windows\System folder:
- The Scanreg.vbs value is added to the following registry key:
This will run the next time the computer is started.
- The Life_Stages.txt.shs file is created in the \Windows folder.
- A randomly named file is added to the following locations:
This randomly named file is created using the format Random 1+ Random 2 + Random 3.txt.shs where:
- The root directory of all mapped drives
- The \My Documents folder.
- The \Windows\Start Menu\Programs folder.
- Random 1= Important, Info, Report, Secret, or Unknown
- Random 2 = - or _ (hyphen or underscore)
- Random 3 = a random number between 1 and 1000
For example, Report_439.txt.shs or Important-707.txt.shs.
- The Regedit.exe file is moved into the Recycle Bin as a hidden system file named Recycled.vxd.
- The following files are added to the Recycle Bin as hidden system files:
Msrycld.dat is a copy of the original .shs file. Rcycldbn.dat is a copy of the Scanreg.vbs file. Dbindex.vbs is set to be run when ICQ is run. The script for mIRC is modified to call the Sound32b.dll file, which causes the worm to spread through mIRC and PIRCH.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":