Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

VBS/STAGES WORM REPORTED IN IRC CHANNELS

                     VBS/Stages is a multi application Windows worm uses Microsoft outlook, mIRC, Pirch and mapped drives to spread. Because of the mass mailing routine it downs many e-mail servers.

                     The email message subject will be the mixture of "FW: ", "Life stages", "Funny", "Jokes", or "text". It uses a random number generator to get the mixture subject line. The message body will be " > The male and female stages of life". The attachment name will be "LIFE_STAGES.TXT.SHS" and the size will be 39,936 bytes.

                      The attachment is a shellScrap Object file, .SHS extension won't visible to the user. It blinds the user to open the attachment as a normal text file. While opening the e-mail attachment, will display the following text using notepad.

--------------- BEGIN TEXT ---------------

- The male stages of life:

Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.

Age. Favorite sport.
17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.

Age. Definiton of a successful date.
17 Tongue.
25 Breakfast.
35 She didn't set back my therapy.
48 I didn't have to meet her kids.
66 Got home alive.


- The female stages of life:

Age. Favourite fantasy.
17 Tall, dark and hansome.
25 Tall, dark and hansome with money.
35 Tall, dark and hansome with money and a brain.
48 A man with hair.
66 A man.

Age. Ideal date.
17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.

--------------- END TEXT ---------------

                     The worm will copy its code in the all mapped drives with random names and with the following fixed file names

c:\WINDOWS\SYSTEM\SCANREG.VBS
c:\WINDOWS\SYSTEM\VBASET.OLB
c:\WINDOWS\SYSTEM\MSINFO16.TLB
c:\RECYCLED\DBINDEX.VBS
c:\RECYCLED\MSRCYCLD.DAT
c:\RECYCLED\RCYCLDBN.DAT
c:\RECYCLED\RECYCLED.VXD - Original REGEDIT.EXE

                     Then it will do registry modifications to load it automatically when the system is restarted. It also changes the ICQ, mIRC, Pirch settings. The mass mailer routine will e-mail the worm to all addresses stored in Microsoft Outlook. Before removing the worm, the following registry modifications should be done.

Delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
ScanReg="C:\WINDOWS\WSCRIPT.EXE C:\WINDOWS\SYSTEM\SCANREG.VBS"

If ICQ is installed in your system, you should delete the following too.

HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Parameters="C:\RECYCLED\DBINDEX.VBS"

HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Path="C:\WINDOWS\WSCRIPT.EXE"

HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
Startup="C:\WINDOWS"

Copy REGEDIT.VXD from RECYCLED folder to C:\WINDOWS\REGEDIT.EXE. Then change the registry keys shown below.

HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\DefaultIcon
Value "@"="C:\WINDOWS\regedit.exe,1"

HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command
Value "@"="regedit.exe "%1""

How can I protect my system?

Fire has incorporated VBS/Stages into its virus signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file from our web site.

How can I find my system is infected?

                     You can check the system manually. This worm creates the file "SCANREG.VBS", "VBASET.OLB" and "MSINFO16.TLB" in "C:\windows\system" folder. If the files are present in the folder, your PC is infected with this worm. A free utility is available to detect and clean this worm in Download Center.

                     To find other viruses use our FireLite version. A free download of FireLite [ 1100KB ] version is available to detect all viruses. If you find any virus, use registered windows version of Fire to remove. To get the registered version of Fire call us at 044-28170440 or mail to service@fireav.com or purchase Fire online using

Go to top of the page
.