VBS.Stages(aka Life Stages) - LIFE

tasklist.org		A comprehensive list of processes running in your computer
		tasklist \| attachlist

bookmark this website!		total tasks: 16297

AttachList is a list of email attachment files that viruses usually send in email. It contains the attached file names, typical subjects and messages, the name of the viruses that send them, and instruction on how to remove these viruses.

most requested

Browse attachlist by file name:

| a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w | x | y | z |

Name: VBS.Stages

Sender:

Varies. Usually someone who knows you.

Subject:

The subject of the email is randomly generated and can be one of
twelve strings.In some, but not all cases, the subject begins with
"Fw:" It will, in any case, containone of the following: Life stages,
Funny or Jokes.  In some cases, this is followed by theword "text."
The following are examples of possible subject headings:
Fw: Life stages
Jokes text
Fw: Funny text

Message:

Varies.

Attachment:

LIFE_STAGES.TXT.SHS

Comments: A worm that spreads itself through Outlook. Execution of the attachment willopen a text file in Notepad displaying the male and female stages of life.

Symptoms:


 When you run the attachment it opens a text file in Notepad. The
text file describes the male and female stages of life. 
 The following files are created in the WindowsSystem folder:
Scanreg.vbs, Vbaset.olb and Msinfo16.tlb 
 The Scanreg.vbs value is added to the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices 
 The Life_Stages.txt.shs file is created in the Windows folder. 
 The Regedit.exe file is moved into the Recycle Bin as a hidden
system file named Recycled.vxd. 
 The following files are added to the Recycle Bin as hidden system
files: Msrcycld.dat, Rcycldbn.dat and Dbindex.vbs.  Msrycld.dat is a
copy of the original .shs file. Rcycldbn.dat is a copy of the
Scanreg.vbs file. Dbindex.vbs is set to be run when ICQ is run. The
script for mIRC is modified to call the Sound32b.dll file, which
causes the worm to spread through mIRC and PIRCH.

Recommended Cleanup Software: We found that Easy SpyRemover is the most effective tool for removing this file.

Manual Removal Instructions: Please follow these steps to locate and remove some of the files that were added by the worm:
Click Start, point to Find, and click Files or Folders.
Make sure that Look In is pointing to C:, or All Drives if you have more than one.
In the Named box, type *.shs and then click Find Now.
In the Results pane, select any .txt.shs files and then press Delete. Click Yes to confirm.
Click New Search.
In the Named box, type scanreg.vbs vbaset.olb msinfo16.tlb and click Find Now.
In the Results pane, select the displayed files--they should be in the \Windows\System folder--and press Delete. Click Yes to confirm.
The worm moves the Registry Editor to the Recycle Bin and renames it. Please follow thesesteps to restore it:
NOTES:When typing the fourth entry, if Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path. If you are running Windows NT, the default path is C:\Winnt.
If you see the message "File not found," re-enter the command to make sure that it was entered correctly. If you still receive the message, go on to the next command.If you are prompted to overwrite files, first make sure that you have typed the command correctly and then press Y.
Click Start, point to Programs, and click MS-DOS Prompt.
Type each of the following commands, and press Enter after each one:
cd\
cd recycled
attrib -h -s -r *.*
copy recycled.vxd c:\windows\regedit.exe
del recycled.vxd
del msrcycld.dat
del rcycldbn.dat
del dbindex.vbs
exit
Follow these steps to undo the changes made to the Windows registry by the worm:
CAUTION: We strongly recommend that you back up the Windows registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to Back Up the Windows Registry before proceeding.
Click Start, and click Run. The Run dialog box appears.
Type regedit and click OK. The Registry Editor opens.
Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
In the right pane, locate and select the Scanreg value. Press Delete, and then click Yes to confirm.
Navigate to and select the following key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OSName
NOTE: This key may not exist on all computers.
If it exists, press Delete, and then click Yes to confirm.
Navigate to the following key:HKEY_USERS\.Default\Software\Mirabilis\ICQ\Agent\Apps\ICQ
In the right pane, locate and delete the following values:
Enable
Parameters
Path
StartUp
Navigate to the following key:HKEY_CLASSES_ROOT\regfile\DefaultIcon
In the right pane, double-click Default.
In the Value data box, delete the current text and then type regedit.exe
NOTE: If Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path.
Click OK.
Navigate to the following key:HKEY_CLASSES_ROOT\regfile\shell\open\command
In the right pane, double-click Default.
In the Value data box, delete the current text, and then type regedit.exe
NOTE: If Windows is installed in a location other than C:\Windows, make the appropriate substitution when typing the path.
Click OK.
Exit the Registry Editor.