virus VBS.Stages.A

Description of the VBS.Stages.A worm

This worm appears as an attachment named Life_stages.txt.shs. When you run the attachment it will open a text file in Notepad. The text file describes the male and female stages of life. While you are reading the text file, a script is running in the background. This worm spreads itself using Outlook, ICQ, mIRC, and PIRCH.

You can download the fix program of this worm from:

Fix Life.exe from Symantec Corporation (You must copy this program to c:\windows\desktop)
KillStages.zip from McAfee.com
This fix program will remove the virus entry from your Windows's Registry and you must delete the file manually
Technical description of the VBS.Stages.A worm

The worm sends an e-mail to addresses listed in your Microsoft Outlook address book. The e-mail contains the LIFE_STAGES.TXT.SHS attachment. The subject of the e-mail is randomly generated and can be one of twelve strings. In some, but not all cases, the subject begins with "Fw:" It will, in any case, contain one of the following:

Life stages
Funny
Jokes
In some cases, this is followed by the word "text." The following are examples of possible subject headings:

Fw: Life stages
Jokes text
Fw: Funny text
As soon as they are sent, the worm deletes copies of the messages so that there is no record of its presence.

This worm will modify your system as follows:

The following files are crated in the Windows\System folder:
Scanreg.vbs
Vbaset.olb
msinfo16.tlb
The Scanreg.vbs value is added to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Runservices\ScanReg = ScanReg.vbs
This will run the next time the computer is started.
The Life_Stages.txt.shs file is created in the \Windows folder
A randomly named file is added to the following locations:
The root directory of all mapped drivers (C:\, D:\, E:\, ... Z:\)
The \My Documents folder
The \Windows\Start Menu\Program folder
This randomly name file is created using the format of Random 1 + Random 2 + Random 3.txt.shs where:
Random 1 = Important, Info, Report, Secret, or Unknown.
Random 2 = '-' or '_' (Hyphen or Underscore)
Random 3 = a random number between 1 and 1000
For example, Report_439.txt.shs or Important-707.txt.shs.
The Regedit.exe file is moved into the Recycle Bin as a hidden system file named Recycled.vxd
The following files are added to the Recycle Bin as hidden, system files:
Msrcycld.dat
Rcycldbn.dat
Dbindex.vbs
Msrycld.dat is a copy of the original .shs file.
Rcycldbn.dat is a copy of the Scanreg.vbs file.
Dbindex.vbs is set to be run when ICQ is run. The script for mIRC is modified to call the Sound32b.dll file, which causes the worm to spread through mIRC and PIRCH
How to repair damaged done by the VBS.Stages.A worm

You can download the fix program of this worm from:

Fix Life.exe from Symantec Corporation (You must copy this program to c:\windows\desktop)
KillStages.zip from McAfee.com
This fix program will remove the virus entry from your Windows's Registry and you must delete the file manually
After running above tools (either one), it will remove the worm from your Windows registry and stop the infecting and propagating by this worm.

You can follow the instructions below to remove this worm manually

NOTE: This worm has done many modification to your system, the instruction below are complex which you need to have familiar with basic windows and DOS command. If you are not, we suggest you to contact the services of a computer technician.

Find and Delete files

Please follow these steps to locate and remove some of the files that were added by the worm:

Click Start -> Find and Click on Files or Folders.
Make sure that Look In is pointing to C:, or all drivers you have.
In the Named Box, type *.shs and click Find Now.
In the result pane, select any .txt.shs files and then press Delete. Click Yes to confirm.
Click New Search.
In the Named box, type scanreg.vbs vbaset.olb msinfo16.tlb and then click find now.
In the Results pane, select all the files that are found which should be found under \Windows\System folder and press Delete. Click Yes to confirm.
Restore the Registry Editor (REGEDIT.EXE).

Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
In the right pane, locate and select the Scanreg value. Press Delete, and then click Yes to confirm.
Navigate to the following key:
HKEY_USERS\.Default\Software\Mirabilis\ICQ\Agent\Apps\ICQ
In the right pane, locate and delete the following values:
Enable
Parameters
Path
StartUp
Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\OSName
NOTE: This may not exist on all computers.

If it exists, press Delete, and then click Yes to confirm.
Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Classes\regfile\shell\
open\command
In the right pane, double-click Default.
11. In the Value data box, delete the current text and then type: regedit.exe

Click OK.

Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Classes\regfile\DefaultIcon
In the right pane, double-click Default.

In the Value data box, delete the current text and then type: regedit.exe

Click OK.

Navigate to the following key:
HKEY_CLASSES_ROOT\regfile\DefaultIcon
In the right pane, double-click Default.

In the Value data box, delete the current text and then type: REGEDIT.EXE
NOTE: If you have Windows installed to a location other than C:\Windows. please make the appropriate substitution when typing the path.
Click OK.
Navigate to the following key:
HKEY_CLASSES_ROOT\regfile\shell\open\command
In the right pane, double-click Default.

In the Value data box, delete the current text, and then type: regedit.exe.
NOTE: If you have Windows installed to a location other than C:\Windows then please make the appropriate substitution when typing the path.
Click OK.
Exit the registry Editor