Computer Virus Alert!

From: cfarrish@stratos.net
Date: Wed Aug 02 2000 - 20:21:09 EEST


Greetings, rp-ml@ltk.hut.fi

I thought you would be interested in knowing about this computer virus...

Virus Name: IRC/Stages.worm

Virus Characteristics:
*Update - June 28,2000:<br>
Detection/removal for the component identified as "VBS/Stages.27356" has
been added to 4084 .DAT.

*Update - June 19,2000:<br>
<i>AVERT has raised the ARA for this Internet worm from LOW to HIGH based
on the number of samples received. We recommend ensuring that .SHS file
extensions are included in all scanning programs.</i>

This is a multi-application Internet worm which is designed with intent to
spread using one of four spreading mechanisms. This worm takes advantage
of installations of Pirch, Outlook, mIRC, and also spreads to available
mapped drives.

This Internet worm was first announced on the author's website and has not
been seen at a customer site as of this description posting.

This worm may arrive by email in the following format:

Subject: [P1]+[P2]+[P3]<br>
Body: > The male and female stages of life.<br>
Attachment: <b>LIFE_STAGES.TXT.SHS</b>

In the above, the subject line is variable, but limited to 12 possible
combinations. P1, P2 & P3 are chosen from the respective lists below:

P1 -» "FW: ", ""<BR>
P2 -» "Life stages", "Funny", "Jokes"<BR>
P3 -» " text", ""

Examples:<br>
Subject = "Funny"<br>
Subject = "FW: Jokes text"<BR>
Subject = "Life stages"

The recipients are "blind carbon copied" or "bcc".

The attachment is 39,936 bytes and is a <u>Shell Scrap Object file</u>.
These files are the most unpredictable file type of all, since they can be
anything from an authentic file to a trojan application. In this case, the
file cannot be trusted.

<i>An interesting feature of SHS files is that <b>the extension remains
hidden</b>, even though the operating system is set to show file
extensions.</i> This helps to confuse the user into <u>believing the file
is really of .TXT file type</u>. Double-clicking on the file will install
this Internet worm in an interesting manner.

This SHS worm does contain content which is displayed while it installs
itself to the local host. The following text file is shown:

---------copy of displayed text--------<br>
- The male stages of life:

Age. Seduction lines.<br>
17 My parents are away for the weekend.<br>
25 My girlfriend is away for the weekend.<br>
35 My fiancee is away for the weekend.<br>
48 My wife is away for the weekend.<br>
66 My second wife is dead.<br>
<br>
Age. Favorite sport.<br>
17 Sex.<br>
25 Sex.<br>
35 Sex.<br>
48 Sex.<br>
66 Napping.<br>
<br>
Age. Definiton of a successful date.<br>
17 Tongue.<br>
25 Breakfast.<br>
35 She didn't set back my therapy.<br>
48 I didn't have to meet her kids.<br>
66 Got home alive.<br>
<br>
- The female stages of life:<br>
<br>
Age. Favourite fantasy.<br>
17 Tall, dark and hansome.<br>
25 Tall, dark and hansome with money.<br>
35 Tall, dark and hansome with money and a brain.<br>
48 A man with hair.<br>
66 A man.<br>
<br>
Age. Ideal date.<br>
17 He offers to pay.<br>
25 He pays.<br>
35 He cooks breakfast next morning.<br>
48 He cooks breakfast next morning for the kids.<br>
66 He can chew his breakfast.<br>
---------copy of displayed text--------

One significance of this exploitation of SHS files is that it raises
awareness to the fact that the extension is not shown, even if a system is
configured to "show all files" and "show extensions of known file types".

This is due to a registry entry for Shell Scrap file types:

HKEY_CLASSES_ROOT\ShellScrap<br>
"<b>NeverShowExt</b>"="0"

Users can correct this by either deleting the entry named "NeverShowExt"
or rename it to "AlwaysShowExt". If renaming the entry, user must log off
and log back into Windows for the change to take effect.

To check your system for this virus, and to learn how to protect yourself
from computer viruses, visit the McAfee PC Clinic at
http://clinic.mcafee.com.

This email was sent to you by Carol Farrish

For more information about the rp-ml, see http://ltk.hut.fi/rp-ml/



This archive was generated by hypermail 2.1.2 : Tue Jun 05 2001 - 23:04:01 EEST