Mumbai-Central.com

Where Mumbaikars meet

Top: nukkad: archive: Thread Index

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Detailed Information on this new virus..

To: nagpurcity@egroups.com, nukkad bombay mailing list <nukkad-list@mumbai-central.com>, "'RKNEC 1998'" <rknec1998@egroups.com>, "'RKNEC'" <ramians@egroups.com>, Vikram Malani <vikrammalani@hotmail.com>, sam <shakesam@nagpur.dot.net.in>, Nakul Malani <nakul@nagpur.dot.net.in>
Subject: Detailed Information on this new virus..
From: "Pratap Malani, Gurgaon" <pratap@ggn.hcltech.com>
Date: Tue, 20 Jun 2000 00:43:47 -0400 (EDT)
Delivered-To: nukkad-arc@mumbai-central.com
Delivered-To: nukkad-list@mumbai-central.com
Old-Date: Tue, 20 Jun 2000 10:09:03 +0530
Old-X-Envelope-To: <nukkad-list@mumbai-central.com>
Old-X-Envelope-To: nukkad-list
Organization: Mumbai Central
Resent-Date: Tue, 20 Jun 2000 11:52:11 -0400 (EDT)
Resent-From: nukkad-list@mumbai-central.com
Resent-Message-ID: <q8QgP.A.0y.rM5T5@epsilon.pair.com>
Resent-Sender: nukkad-list-request@mumbai-central.com
Sender: hchhaya@epsilon.pair.com

----------------------------------------------------------------------------
Tip of the day:  Include your e-mail address in all your messages.
----------------------------------------------------------------------------

-----Original Message-----
From:	Sudhir Paliwal 
Sent:	Tuesday, June 20, 2000 09:42
Subject:	Detailed Information on this  new virus..

VBS.Stages.A
This worm appears as an attachment titled LIFE_STAGES.TXT.SHS. Execution of
this attachment will open a text file in Notepad displaying the male and
female stages of life. Whilst the user is reading the text file the script
is executing in the background. This worm spreads itself using Outlook, ICQ,
mIRC and PIRCH. SARC suggests that corporate customers configure their email
filtering systems to filter out or stop all incoming emails that have
attachments with .SHS extensions. 
Also known as : IRC/Stages.worm, Life_Stages Worm, VBS_Stages.A 
Category : Worm 
Infection length : 39,936 bytes 
Virus definitions: June 16, 2000 
Threat assessment :
Wild :  High 	Damage :  Low 	Distribution :High <<...>> 
Wild 
*	Number of infections : 50-999 
*	Number of sites : More than 10 
*	Geographical distribution : High 
*	Threat containment : Easy 
*	Removal : Difficult 
Damage 
*	Payload trigger Execution of the LIFE_STAGES.TXT.SHS attachment 
*	Payload 
*	Large sale e-mailing : Sends mail to entire MS Outlook address book 
*	Modifies files : System registry, Regedit.exe 
*	Causes system instability Could overload mail servers 
Distribution 
*	Subject of e-mail : There are 12 possibilities for the subject of
the email 
*	Name of attachmentLIFE_STAGES.TXT.SHS 
*	Size of attachment 39,936 bytes 
*	Shared drives Copies itself to mapped drives 
Technical description 
An SHS file is a Microsoft Scrap Object file. These types of files are
executable and can contain a wide variety of objects. The scrap object (SHS)
extension does not appear in Windows Explorer even if all file extensions
are displayed. Upon executing this worm, your system is modified in many
different ways: 
*	SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are dropped into the
\WINDOWS\SYSTEM directory. 
*	The registry key
HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices/ScanReg is added
to run the SCANREG.VBS file upon startup. 
*	LIFE_STAGES.TXT.SHS is dropped into the \WINDOWS directory. 
*	A randomly named file in the format of Rand1+Rand2+Rand3.txt.shs
where Rand1 = IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN and Rand2 = - or _
and Rand3 = a random number between 1 and 1000 is dropped into the root
directory of all mapped drives, into \My Documents and into \WINDOWS\START
MENU\PROGRAMS. For example, report_439.txt.shs or IMPORTANT-707.TXT.SHS. 
*	The file regedit.exe is moved into the Recycle Bin as a hidden
system file named RECYCLED.VXD. 
*	MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS are dropped into the
Recycled Bin as hidden system files. MSRYCLD.DAT is a copy of the original
SHS file. RCYCLDBN.DAT is a copy of the SCANREG.VBS file. DBINDEX.VBS is set
to be executed when ICQ is run. 
*	The script for mIRC is modified to call the file SOUND32B.DLL which
causes the worm to spread through mIRC and PIRCH. 
The worm sends an email to addresses listed in your MS Outlook Address book.
The email contains the LIFE_STAGES.TXT.SHS attachment. The subject of the
email is randomly generated and can be one of twelve strings. It may or may
not begin with "Fw:". It will contain either "Life stages", "Funny" or
"Jokes" and may or may not be followed by "text". Examples would be "Fw:
Life stages", "Jokes text" or "Fw: Funny text". The worm immediately deletes
copies of the emails after they have been sent to insure there is no record
of its presence

------------------------------------------------------------------------------
To Subscribe [Unsubscribe] send a blank message to 
        nukkad-list-request@mumbai-central.com 
with the word 'subscribe' ['unsubscribe'] (without quotes) in the Subject 
of your message.
The list is archived at  http://www.mumbai-central.com/nukkad/archive.html

Prev by Date: [nukkad] Vegetarianism: A Means to a Higher End
Next by Date: [nukkad] some info
Prev by thread: [nukkad] Vegetarianism: A Means to a Higher End
Next by thread: [nukkad] some info
Index(es):
- Date
- Thread

Subscribe to nukkad

Use the form below to subscribe or unsubscribe to the list.

[Prev Page][Next Page]

Main Index | Thread Index

Get notified about site updates
To get updates about the Mumbai-Central.com site via email (only 1-2 messages per month), sign up!

Created and maintained by us