Virus Alert
A newsletter from CNET Help.com
http://www.help.com/
June 19, 2000
***************************************************
Virus Alert: "VBS.Stages.A" Virus
There's a new and somewhat tricky virus making its way across the Net. The
VBS.Stages.A virus isn't spreading as rapidly as last month's "I Love You"
worm, nor is it terribly destructive. However, the new virus--which could
easily be mistaken for an innocent text file--isn't nearly as easy to spot.
According to Symantec, the worm appears as an email attachment titled
LIFE_STAGES.TXT.SHS, although the .SHS extension likely won't appear on your
system. The subject line changes randomly; examples include "Fw: Jokes
text," "Fw: Life stages text," and "Fw: Funny text." If you double-click the
file, you'll see what appears to be a simple forwarded joke detailing the
male and female "stages of life." In the background, however, the virus will
make some subtle (and relatively harmless) changes to your system and send
copies of itself to people in your Outlook contact list.
How to Protect Your System
First and foremost, never open an email attachment from an unknown source.
While most viruses come in the form of VBS attachments, the VBS.Stages.A
could easily be mistaken for a simple text file. Also, make sure you have
the very latest antivirus definitions; grab them from CNET Download.com
here:
http://2.digital.cnet.com/cgi-bin2/flo?y=epe0ipNY0Cv0Bfi8
How the Virus Works
(From Symantec)
An SHS file is a Microsoft Scrap Object file. These types of files are
executable and can contain a wide variety of objects. The scrap object (SHS)
extension does not appear in Windows Explorer even if all file extensions
are displayed. Upon executing this worm, your system is modified in the
following ways:
* SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are created in the
\WINDOWS\SYSTEM directory.
* The registry key
HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices/ScanReg is added
to run the SCANREG.VBS file upon startup.
* LIFE_STAGES.TXT.SHS is created into the \WINDOWS directory.
* A randomly named file with the .TXT.SHS extension is created into the root
directory of all mapped drives, into \My Documents and into \WINDOWS\START
MENU\PROGRAMS. The name of the file has three parts. The first part is
IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN; the second part is a dash or an
underscore; and the third part is a random number between 1 and 1000.
Examples include report_439.txt.shs or IMPORTANT-707.TXT.SHS.
* The file regedit.exe is moved into the Recycle Bin as a hidden system file
named RECYCLED.VXD.
* MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS are created into the Recycled
Bin as hidden system files. MSRYCLD.DAT is a copy of the original SHS file.
RCYCLDBN.DAT is a copy of the SCANREG.VBS file. DBINDEX.VBS is set to be
executed when ICQ is run.
* The script for mIRC is modified to call the file SOUND32B.DLL which causes
the worm to spread through mIRC and PIRCH.
The worm sends an email to addresses listed in your MS Outlook Address book.
The email contains the LIFE_STAGES.TXT.SHS attachment. The subject of the
email is randomly generated and can be one of 12 strings. It may or may not
begin with "Fw:." It will contain either "Life stages," "Funny," or "Jokes"
and may or may not be followed by "text." Examples would be "Fw: Life
stages," "Jokes text" or "Fw: Funny text." The worm immediately deletes
copies of the emails after they have been sent to ensure there is no record
of its presence.
For a complete technical description of VBS.Stages.A, check out Symantec's
virus definition page:
http://2.digital.cnet.com/cgi-bin2/flo?y=epe0ipNY0Cv0ChJf
Get the latest antivirus definitions from CNET Download.com here:
http://2.digital.cnet.com/cgi-bin2/flo?y=epe0ipNY0Cv0Bfi8
****************************************************
Looking for more help with viruses? Try our Antivirus Help Directory,
a complete listing of books, tutorials, online courses, and more:
http://2.digital.cnet.com/cgi-bin2/flo?y=epe0ipNY0Cv0BfkB
----- Original Message -----
From: bandi <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 20, 2000 12:02 PM
Subject: [MIKRODATA] Virus
Nyanya Lagi :
PC saya baru saja mengalami kena Virus "LIVE_STAGES.TXT.SHS"
ada yang pernah mengalami kena Virus tersebut ?
bagaimnana caranya menghilangkan virus tersebut ?
Help me Please,
------------------------------------------------------------------------
[EMAIL PROTECTED] - Mailing List (milis) MIKRODATA
Post message: [EMAIL PROTECTED]
Subscribe : [EMAIL PROTECTED]
Unsubscribe : [EMAIL PROTECTED]
Website : http://mikrodata.co.id
FTPsite : ftp.mikrodata.co.id
Archives : http://www.mail-archive.com/forum%40mikrodata.co.id/
Milis ini menjadi kontribusi rubrik Konsultasi, Klinik Virus, Opini IT,
Klinik Linux, dan Antar Pembaca di MIKRODATA, Info Komputer,
Detikcom (i-Net), KOMPAS Cyber Media (KCM), dan AntiVirus Media.
