TDG brudder:
http://www.cai.com/virusinfo/encyclopedia/descriptions/vbsstagesa.htmhttp://www.symantec.com/avcenter/venc/data/fix.vbs.stages.htmlStages.A (also known as VBS.Stages.A and VBS/ShellScrap)
VBS.Stages.A is the first known worm to utilize the SHS filetype (scrap file) to transfer its code. Most parts of suspicious strings have been encrypted using techniques already seen in the VBS.Zulu family.
The worm's code is contained in the file "LIFE_STAGES.TXT.SHS". If this file does not exist in the windows startup directory, the worm will create the file "LIFE_STAGES.TXT" containing the following text:
- The male stages of life:
Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.
Age. Favorite sport.
17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.
Age. Definiton of a successful date.
17 Tongue.
25 Breakfast.
35 She didn't set back my therapy.
48 I didn't have to meet her kids.
66 Got home alive.
- The female stages of life:
Age. Favourite fantasy.
17 Tall, dark and hansome.
25 Tall, dark and hansome with money.
35 Tall, dark and hansome with money and a brain.
48 A man with hair.
66 A man.
Age. Ideal date.
17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.
If the file containing the worm does not exist in the startup directory, the worm tries to find the file on the local harddrive and copy it to various locations to ensure its survival. The worm also creates the file "scanreg.vbs", which contains reactivation code. The worm updates the registry so that the "scanreg.vbs" file is started on every system reboot.
Next, the worm tries to modify parameters from a local ICQ client and the modifies the registry information to confuse the user when looking at ".SHS" type files. When the worm is activated, the default icon for ".SHS" files will be the same as for ".txt" files and the extension ".SHS" will be not shown.
To stop recovery attempts, the worm also tries to rename or move the file "regedit.exe" (the registry editor), so that the "runservice" registry key modification cannot be deactivated. The new filename for the registry editor is "recycled.vxd".
The worm then tries to copy itself on all mapped network drives in the startup folder of windows. This feature will only be activated when the file (mentioned earlier) was not found in the local startup directory.
Depending on the value of the registry key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OSName"
the worm will also try to utilize Microsoft Outlook to send itself to addresses in the Address Book. The worm uses variable subjects to make its detection harder.
Possible subjects are:
"Fw: Life Stages"
"Fw: Funny"
"Fw: Jokes"
"Fw: Life Stages text"
"Fw: Funny text"
"Fw: Jokes text"
"Life Stages"
"Funny"
"Jokes"
"Life Stages text"
"Funny text"
"Jokes text"
Also, the body text contains random elements. After the e-mail messages have been sent, the worm makes sure that the messages do not appear in the "Sent Items" folder. It also modifies the registry key mentioned earlier so that the messages will be sent only once.
[This message has been edited by OldMan (edited 20 July 2000).]