From: CNET Virus Alert Dispatch <Cnet_Virus_Alert@2.digital.cnet.com> To: bobtort@mediaone.net Subject: Virus Alert: ""Killer Resume"" Date: Mon, 19 Jun 2000 15:16:20 -0400 (EDT) Virus Alert A newsletter from CNET Help.com http://www.help.com/ June 19, 2000 *************************************************** Virus Alert: "VBS.Stages.A" Virus There's a new and somewhat tricky virus making its way across the Net. The VBS.Stages.A virus isn't spreading as rapidly as last month's "I Love You" worm, nor is it terribly destructive. However, the new virus--which could easily be mistaken for an innocent text file--isn't nearly as easy to spot. According to Symantec, the worm appears as an email attachment titled LIFE_STAGES.TXT.SHS, although the .SHS extension likely won't appear on your system. The subject line changes randomly; examples include "Fw: Jokes text," "Fw: Life stages text," and "Fw: Funny text." If you double-click the file, you'll see what appears to be a simple forwarded joke detailing the male and female "stages of life." In the background, however, the virus will make some subtle (and relatively harmless) changes to your system and send copies of itself to people in your Outlook contact list. How to Protect Your System First and foremost, never open an email attachment from an unknown source. While most viruses come in the form of VBS attachments, the VBS.Stages.A could easily be mistaken for a simple text file. Also, make sure you have the very latest antivirus definitions; grab them from CNET Download.com here: http://2.digital.cnet.com/cgi-bin2/flo?y=epe0eWu70Cv0Bfij How the Virus Works (From Symantec) An SHS file is a Microsoft Scrap Object file. These types of files are executable and can contain a wide variety of objects. The scrap object (SHS) extension does not appear in Windows Explorer even if all file extensions are displayed. Upon executing this worm, your system is modified in the following ways: * SCANREG.VBS, VBASET.OLB AND MSINFO16.TLB are created in the \WINDOWS\SYSTEM directory. * The registry key HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices/ScanReg is added to run the SCANREG.VBS file upon startup. * LIFE_STAGES.TXT.SHS is created into the \WINDOWS directory. * A randomly named file with the .TXT.SHS extension is created into the root directory of all mapped drives, into \My Documents and into \WINDOWS\START MENU\PROGRAMS. The name of the file has three parts. The first part is IMPORTANT, INFO, REPORT, SECRET, or UNKNOWN; the second part is a dash or an underscore; and the third part is a random number between 1 and 1000. Examples include report_439.txt.shs or IMPORTANT-707.TXT.SHS. * The file regedit.exe is moved into the Recycle Bin as a hidden system file named RECYCLED.VXD. * MSRCYCLD.DAT, RCYCLDBN.DAT and DBINDEX.VBS are created into the Recycled Bin as hidden system files. MSRYCLD.DAT is a copy of the original SHS file. RCYCLDBN.DAT is a copy of the SCANREG.VBS file. DBINDEX.VBS is set to be executed when ICQ is run. * The script for mIRC is modified to call the file SOUND32B.DLL which causes the worm to spread through mIRC and PIRCH. The worm sends an email to addresses listed in your MS Outlook Address book. The email contains the LIFE_STAGES.TXT.SHS attachment. The subject of the email is randomly generated and can be one of 12 strings. It may or may not begin with "Fw:." It will contain either "Life stages," "Funny," or "Jokes" and may or may not be followed by "text." Examples would be "Fw: Life stages," "Jokes text" or "Fw: Funny text." The worm immediately deletes copies of the emails after they have been sent to ensure there is no record of its presence. For a complete technical description of VBS.Stages.A, check out Symantec's virus definition page: http://2.digital.cnet.com/cgi-bin2/flo?y=epe0eWu70Cv0ChJH Get the latest antivirus definitions from CNET Download.com here: http://2.digital.cnet.com/cgi-bin2/flo?y=epe0eWu70Cv0Bfij **************************************************** Looking for more help with viruses? Try our Antivirus Help Directory, a complete listing of books, tutorials, online courses, and more: http://2.digital.cnet.com/cgi-bin2/flo?y=epe0eWu70Cv0Bfkl ***************************************************** To unsubscribe from this or any CNET Dispatch: http://2.digital.cnet.com/cgi-bin2/flo?y=epe0eWu70Cv0BWj Copyright 2000 CNET Networks, Inc. All rights reserved. ------------------ Gloria Frazier Macoupin County ILGenWeb County Coordinator http://www.rootsweb.com/~ilmacoup/macoupin.htm Maillists FRAZIER-L, ILMADISO-L You MAY have descended from one of three brothers that came over from _____.