'Stages' Virus Travels by Outlook
- 20 June, 2000 17:36
The e-mail appears to contain a joke outlining "the male and female stages of life," but once the attached file is opened, the virus inserts itself into Outlook and spreads itself via Outlook e-mail messages as well as mIRC and Pirch IRC (Internet relay chat) programs.
"This one became first newsworthy--went to what we call 'yellow alert'--on Friday," says David Perry, public education director at antivirus software vendor Trend Micro. "It was in a handful of Fortune 100 companies, and it's a fast-replicating virus. Anybody can get it, but because all it really does is replicate," it is not considered destructive.
Stages is an .shs virus and uses SHS files, which are also known as shell or scrap files, to spread. SHS files are created when a clipping is taken from the middle of a Microsoft Word document and dropped onto the desktop, Perry says, noting that these are not text files even though they may appear to have a text file extension.
They are "able to contain all of the scripts that are necessary in it to stitch the piece of file back into another file, and Windows always suppresses the initials of its extension SHS," Perry explains. "So if you make something called 'Stages.shs.text,' the SHS part is eliminated [in Windows] and it looks like it says 'Stages.txt.' That's just a feature of these scrap files because it's a process that Microsoft doesn't want to advertise is going on, for whatever reason. It's supposed to be more transparent that way."
Like Melissa and the Love Letter virus, the Stages virus is a very fast replicator and can overload e-mail servers if a large number of copies hit a company all at once. The virus is also polymorphic, exposing itself multiple times in different formats to avoid detection.
The subject of the e-mail is randomly generated and can be one of twelve strings, according to antivirus researchers at Symantec. The subject line could be "Life Stages," "Funny," "Jokes," and others. The subject may begin with "FW" and may be followed by "text." The worm sends an e-mail to addresses listed in your MS Outlook Address book containing the LIFE_STAGES.TXT.SHS attachment. Also, it immediately deletes copies of the e-mails after they have been sent, to ensure there is no record of its presence, according to Symantec.
"It has a long way to go to top Love Letter; we don't think it's going to do that," Perry said. "Love Letter had a strong appeal for people to click on it; this one doesn't quite have that. It's not a barn-burner. I really don't want to alarm anybody or shock anybody, but it's serious enough that we think we need to talk about it [because it's spreading so quickly]."
Antivirus solutions vendors have updated their antivirus pattern files for download; Microsoft also has SHS blocking available in its Outlook e-mail security update.