VBS:Stages

is the Internet worm which uses four different spreading mechanisms. This worm can spread via MS-Outlook, Pirch, mIRC, and via mapped drives. It arrives  via e-mail and is activated by double click on the message attachment called LIFE_STAGES.TXT.SHS. It requires Windows Scripting Host to be installed on the victim's computer. This support is not installed under Windows 95 and Windows NT 4 by default. It is installed under Windows 98 and Windows 2000 and it is also  part of some additional software packages (such as Microsoft Internet Explorer v5.x).

The incoming message has following subject and body:

Subject:    FW: Life stages or FW: Funny or FW: Jokes
Body:       The male and female stages of life.
Attachment: LIFE_STAGES.TXT.SHS

The file attached is 39 936 bytes long and is a SHS (Shell Scrap Object) file. These files are special containers created by Windows which can contain virtually anything. The SHS extension is hidden even if the operating system is set to show file extensions. This could be very dangerous as the user believes the file is really text file. After double click worm displays the "funny" text about male and female stages of life and installs itself into the system. It puts the file LIFE_STAGES.TXT.VBS into temporary folder and runs it. VBS:Stages sends itself via Outlook to a random number of recipients. It uses variable subject as mentioned above. Then it moves the file REGEDIT.EXE to the recycle bin under the name RECYCLED.VXD and modifies registry to use this file when accessing registry. Worm then creates several "system" files on local and mapped drives, such as:
      c:\WINDOWS\SYSTEM\MSINFO16.TLB
      c:\WINDOWS\SYSTEM\SCANREG.VBS
      c:\WINDOWS\SYSTEM\VBASET.OLB
      c:\RECYCLED\DBINDEX.VBS
      c:\RECYCLED\MSRCYCLD.DAT
      c:\RECYCLED\RCYCLDBN.DAT
      c:\RECYCLED\RECYCLED.VXD

and many .TXT.SHS files with random names consisting of words IMPORTANT, INFO, REPORT, SECRET and UNKNOWN and possible numbers.

Virus changes the registry to run the file SCANREG.VBS at Windows startup, to run DBINDEX.VBS on ICQ startup. It also modifies the MIRC.INI file and creates the file SOUND32B.DLL which is called by MIRC.INI.

Worm modifies the following registry keys:
HKLM\Software\CLASSES\regfile\DefaultIcon\[Default] (originaly: C:\WINDOWS\regedit.exe,1)
HKLM\Software\CLASSES\regfile\shell\open\command\[Default] (originaly: regedit.exe "%1")

and adds the following registry keys:
HKU\.Default\Software\Mirabilis\ICQ\Agent\Apps\ICQ\Parameters
HKU\.Default\Software\Mirabilis\ICQ\Agent\Apps\ICQ\Path
HKU\.Default\Software\Mirabilis\ICQ\Agent\Apps\ICQ\Startup
HKLM\Software\CLASSES\txtfile\AlwaysShowExt
HKLM\Software\Microsoft\Windows\CurrentVersion\OSName
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScanReg

Please note, that by default the Shell Scrap file extension is not visible. This is due to the registry key: 
HKEY_CLASSES_ROOT\ShellScrap\NeverShowExt
When this key is removed, the SHS extension will be displayed in the same style as the rest of "normal" extensions.

Removal

Delete all infected files, restore the modified registry keys to their original state and remove all added registry keys mentioned above. Restore the file REGEDIT.EXE from the recycle bin. Then reboot the computer.

Any avast! with VPS file dated on or after 20th June 2000 is able to detect this virus. We recommend to change the avast32 task to test ALL files!