PC Hell: VBS Stages worm - Life_stages.txt Virus Removal Instructions

VBS Stages.A Virus
(Life_Stages.txt.shs file)
How to Detect it and Remove It

What is the VBS.Stages worm?

VBS.Stages.A is an Internet worm that arrives via an email attachment similar to the ILoveYou, Happy99, PrettyPark, and Sillyworm file attachments. However, the file extension is not .vbs its .shs. This is a "scrap" object created in Windows by dragging information from a program to the desktop. This action creates a scrap file with an .SHS extension. The file name is LIFE_STAGES.TXT.SHS. However, most systems won't show the .SHS file extension even if the system is configured to show all extensions. This tends to fool users into thinking its a harmless text file instead of an active worm. By right-clicking on the file and choosing Properties, a user can see the .SHS file extension.

How Does the Worm Activate?

When someone opens the LIFE_STAGES.TXT.SHS file, it opens notepad and displays the following joke about the different stages of life for females and males.

vbs_stages.gif (10505 bytes)

While the user is reading this joke, the worm installs itself into the infected computer. It creates the following registry entry, so that is runs at Windows startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg="C:\windows\wscript.exe

c:\windows\system\scanreg.vbs"

It drop the scanreg.vbs file into the c:\windows\system directory and creates registry entries to activate when ICQ is loaded. To spread via IRC channels, it creates the file SOUND32B.DLL called by MIRC. This allows the worm to spread via IRC channels, as well as email.

It also sends the virus via email to all addresses in the infected computer's address book.

Finally, it deletes the file REGEDIT.EXE and moves it to the Recycle Bin with the name RECYCLED.VXD. This makes it hard to remove the worm because you can't edit the windows registry.

VBS.Stages.A also creates files with random names in the system and all available drives using the following fixed names:

c:\WINDOWS\machine name.acl
c:\WINDOWS\SYSTEM\MSINFO16.TLB (exact copy of original SHS file)
c:\WINDOWS\SYSTEM\SCANREG.VBS
c:\WINDOWS\SYSTEM\VBASET.OLB
c:\RECYCLED\DBINDEX.VBS
c:\RECYCLED\MSRCYCLD.DAT (exact copy of original .shs file)
c:\RECYCLED\RCYCLDBN.DAT (exact copy of scanreg.vbs)
c:\RECYCLED\RECYCLED.VXD (really REGEDIT.EXE)

Examples of random names generated are the following:
c:\report.txt.shs
c:\My Documents\IMPORTANT.TXT.SHS
c:\WINDOWS\LIFE_STAGES.TXT.SHS
c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs

In the creation of the random named SHS files, the virus uses the following algorithm to determine a name:
(Random1+Random2+Random3)+TXT+SHS.

Random1 is a selection of one of five choices:
"IMPORTANT", "INFO", "REPORT", "SECRET", "UNKNOWN"

Random2 is a selection of one of two choices:
"-" or "_"

Random3 is a randomly generated number between 0 and 999.

How to Clean/Delete the VBS.Stages worm

You must locate a copy of the REGEDIT.EXE file from the original Windows disks or another computer to be able to edit the windows registry and remove the worm. You may also download the file FIXSTAGE.EXE from the Trend Micro website to correct the registry ad remove the files dropped by the worm. This will not delete the actual virus but it will correct most of the damage done to the system.

The actual virus can be deleted by searching your system for file scanreg.vbs or quite frankly any other .vbs file type, and deleting it. VBS files are Visual Basic Scripts that may contain viruses.

For more information on the Life_Stages worm, visit the Norton Anti Virus page for detailed manual removal directions as well as an automatic removal program

Also visit my page on how to protect yourself from these email viruses