Virus Name

IRC/Stages.worm

Aliases

I-Worm.Scrapworm

IRC/Stages.ini

LIFE_STAGES.TXT.SHS

ShellScrap Worm

VBS/LifeStages

VBS/Stages.14558

VBS/Stages.2542

VBS/Stages.worm

VBS_STAGES

This virus, technically a “worm”, infects when a user opens the attached .SHS file. Files with the extension .SHS are actually executable, like .EXE files, are called “shell scrap object” files, are used by Microsoft OLE (Object Link Embedding) code, and to our knowledge at this time should not normally be located anywhere on your PC or the network.

You can easily search for files with the .SHS extension. However, Windows systems are by default configured to hide the .SHS extension from view, even if the “show all file extensions” option in Windows Explorer has been selected. The Windows icon for .SHS files is similar to the text icon. The .SHS icon shows yellow in the middle of the icon and has a ragged bottom edge. See the below example showing the LIFE_STAGES.TXT.SHS file selected:

To the best of our knowledge at this time, this virus does not intentionally disable a PC or applications, or destroy graphics or other files. It does write copies of itself with the .TXT.SHS extension to all local and network drives to which it has “write” access. These files are randomly named (see below removal instructions) using a series of choices. It renames REGEDIT.EXE to RECYCLED.VXD and puts it in the Windows recycle bin.

HOW TO TELL IF YOUR SYSTEM HAS BEEN INFECTED

The simplest way to determine if you have the ‘LIFE_STAGES’ virus on you system, if you do not have the latest Virus scan software and virus data files, is to do a file search for LIFE_STAGES.TXT.SHS

1. Start by going to the STARTMENU

2. Select FIND\FILES OR FOLDERS

3. Entering ‘*.shs’ in the ‘NAMED’ box (without the quotes)

4. In the LOOK IN box, Select either “C:” or “LOCAL HARD DRIVES”(this will depend on how many local hard drive partitions you have)

5. Select ‘FIND NOW’.

The files will be located in several directories. But, if you find LIFE_STAGES.TXT.SHS or other files with the .SHS extension like the ones listed below anywhere on your system, you should assume your system is infected.

Other examples of files indicative of this virus infection (the words “SECRET”, “IMPORTANT”, “INFO”, “REPORT” and “UNKOWN” are used randomly with numbers):

c:\report.txt.shs

c:\My Documents\IMPORTANT.TXT.SHS

c:\WINDOWS\LIFE_STAGES.TXT.SHS

c:\WINDOWS\Start Menu\Programs\unknown_805.txt.shs

IF YOU FIND ANY OF THE ABOVE LISTED FILES DO NOT OPEN OUTLOOK OR EXCHANGE UNTIL YOU HAVE COMPLETED THE FOLLOWING STEPS! IF OUTLOOK OR EXCHANGE IS CURRENTLY OPEN ON YOUR SYSTEM, CLOSE IT IMMEDIATELY (YOU ARE SENDING INFECTED MESSAGES).

HOW TO CLEAN YOUR SYSTEM

Removal of the following files should clean the virus from your system. We have tested this process on multiple systems.

1. Use FIND\FILES OR FOLDERS to find the infected files using the same process you used above to find *.SHS

2. + keys to select all the files found by the search

3. Review the list of files. Make note of any that you will need to replace from backups or original copies. You may want to print this list before proceeding to the next step.

4. Press the key to remove the files, and select ‘YES’ to the ‘Confirm File Delete’ Message

Once all files with the .SHS files are removed, the following registry entries, which are modified by the virus, should be repaired as follows (take great care with these instructions; mistakes in modifying your registry can be difficult or impossible to recover from; if you are uncomfortable with these procedures, seek appropriate help):

1. Get a copy of REGEDIT.EXE from another, uninfected computer that runs the same version of Windows that your PC does and copy it to C:\WINDOWS.

2. Click START|RUN. Type REGEDIT and hit ENTER key

3. In the left panel, click the "+" to the left of the following:
HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, RunServices

4. In the right panel, search for the registry key that contains the data value of
"C:\WINDOWS\WSCRIPT.EXE
C:\WINDOWS\SYSTEM\SCANREG.VBS".

5. In the right window, highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry.

6. Repeat steps 2 to 4 using the following registry entry
HKEY_USERS/.DEFAULT/Software/Mirabilis/ICQ/Agent/
Apps/ICQ
Look for the key that contains the data value of:
Parameters=“C:\RECYCLED\DBINDEX.VBS”, Path="C:\WINDOWS\WSCRIPT.EXE", and Startup="C:\WINDOWS"

7. Repeat steps 2 to 3 using the following registry entry
HKEY_LOCAL_MACHINE/Software/CLASSES/
regfile/DefaultIcon
Look for the key that contains the data value of "C:\RECYCLED\RECYCLED.VXD,1"

8. In the right window, double click the registry key and an input box will pop out. Type C:\WINDOWS\regedit.exe,1 to this input box.

9. Repeat steps 6 to 8 using the following registry entry
HKEY_LOCAL_MACHINE/Software/CLASSES/regfile/
shell/open/command

10. Exit the registry.

11. Click START|SHUTDOWN. Choose "Restart" and click OK.

HOW TO CLEAN YOUR E-MAIL

If you don’t clean infected messages you may mistakenly open them in the future and re-infect your system.

DO NOT OPEN A MESSAGE TO DELETE IT!!!!!

1. Open Outlook

2. Go to the INBOX and Delete all Messages with the attachment LIFE_STAGES.TXT

Possible titles for these messages are:

“Fw: Funny”

“Fw: Jokes”

“Fw: Life Stages text”

“Fw: Jokes text”

“Life Stages”

“Funny”

“Jokes”

“Life Stages text”

“Funny text”

“Jokes text”

The text of these messages should be “> The male and female stages of life.”

3. Go to SENT ITEMS and Delete all Messages with the subject LIFE_STAGES.TXT

4. Check any additional folders that you might have stored an LIFE_STAGES.TXT Message and delete them

5. With your mouse, Right Click on DELETED ITEMS and select ‘Empty “Deleted Items” Folder’. (Alternatively, if you need to keep any of your uninfected deleted messages, you can select only the infected messages and delete them.)

Your system should now be clean.