Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Stages.A@mm.Worm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published 18 Jun 2000 03:00:00
Description created 18 Jun 2000 03:00:00
Description updated 16 Nov 2004 05:04:00
Malware type WORM
Alias
Spreading mechanism EMAIL
IRC
Summary None

VBS/Stages.A@mm.Worm

Spreading

VBS/Stages spreads by email (Microsoft Outlook) and IRC (mIRC and Pirch).

The email's subject is generated from the following words: 'FW', 'Life Stages', 'Jokes', 'text' and 'Funny'.

The .SHS exstension of the attachment's scrap file is not shown in MS Outlook so a user may belive it is a text file.

When this file is executed it will start Notepad and open a text file containing a joke.

It then modifies the Registry to run the infected file at every Windows startup:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices]
"ScanReg"="C:\WINDOWS\WSCRIPT.EXE C:\WINDOWS\SYSTEM\SCANREG.VBS"

and every time ICQ is loaded:


[HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ] "Parameters"="C:\RECYCLED\DBINDEX.VBS"
"Path"="C:\WINDOWS\WSCRIPT.EXE"
"Startup"="C:\WINDOWS"

After this it sends a copy of itself to the first 100 entries in the infected users' address books. It also drops files with random names at all available drives (both local and network drives).

Payload Details

When executed it will move Regedit.exe to the "Recyle Bin" and rename it to Recycled.vxd.

Analysis

n/a

Removal

To remove this virus it is necessary to remove/change some entries in the Registry and delete some files. Follow one of the procedure below to reset the Registry settings: Automatic modification of Registry settings Run Lumension Malware Cleaner as described below. Non-automatic modification of Registry settings Click Start|Run and type Regedit. Goto [HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\DefaultIcon] Change the value from "C:\RECYCLED\RECYCLED.VXD,1" to; "C:\WINDOWS\regedit.exe,1" Do the same for [HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command] Goto [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices] Delete the key; "ScanReg"="C:\WINDOWS\WSCRIPT.EXE C:\WINDOWS\SYSTEM\SCANREG.VBS" Goto [HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ] Delete the following keys "Parameters"="C:\RECYCLED\DBINDEX.VBS" "Path"="C:\WINDOWS\WSCRIPT.EXE" "Startup"="C:\WINDOWS" You must get a copy of Regedit.exe from another computer (C:\Windows\Regedit.exe) and copy this file to the C:\Windows folder. Restart the computer and delete all infected files. If you used the automatic cleaning method described above, you should get a copy of Regedit.exe from another computer (C:\Windows\Regedit.exe) and copy this file to the C:\Windows folder, to be able to edit the Registry at a later point in time. The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute.


Last Updated: 12 Nov 2015 11:06:10