Virus Warning - Stages.Worm Last Updated 5/26/00

Stages is an email worm. "Stages.VBS" spreads when the attached file, "LIFE_STAGES.TXT.SHS" is opened. The extension "SHS" may not be visible, and the attachment may have the notepad icon. The attachment is a Visual Basic Script, that will perform several actions when executed. The worm replicates via Outlook, Internet Relay, and by copying itself on all available network drives. The copied files are randomly named.

The message subject consists of one of the following:

"Funny", "Life Stages", or "Jokes", and may include the text "Text" or :Fw:".

For example, the subject line might be:

"Jokes", "Life Stages Text" or "Fw: Funny".

You may recognize the name of the sender.

The body of the message includes the text:

"The male and female stages of life."

The attachment is titled "LIFE_STAGES.TXT.SHS"

For more information see http://vil.nai.com/vil/content/v_98668.htm, or
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_STAGES.A.

To remove Stages from the registry,

1. Start REGEDIT, locate
2. HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunServices
   Delete the keys:
   • "C:\WINDOWS\WSCRIPT.EXE"
   • "C:\WINDOWS\SYSTEM\SCANREG.VBS".
3. HKEY_USERS/.DEFAULT/Software/Mirabilis/ICQ/Agent/Apps/ICQ
   Delete the keys:
   • "C:\RECYCLED\DBINDEX.VBS"
   • "Path=C:\WINDOWS\WSCRIPT.EXE"
   • "Startup=C:\WINDOWS"
4. HKEY_LOCAL_MACHINE/Software/CLASSES/regfile/DefaultIcon
   Locate the key withthe data value "C:\RECYCLED\RECYCLED.VXD,1"
   • Double click the registry key - this will open a dialog box.
   • Enter "C:\WINDOWS\regedit.exe,1" into the dialog box.
5. HKEY_LOCAL_MACHINE/Software/CLASSES/regfile/shell/open/command
   • Repeat the two steps above
6. Save and Exit the registry.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.