OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: New SHS worm
From: Fulop Miklos (mickNETACADEMIA.NET)
Date: Tue Jun 20 2000 - 19:42:19 CDT

Hiding of .shs extensions (and others) is specified in
the registry, with the registry keys NeverShowExt at
the file type in the HKEY_CLASSES_ROOT.

For example, .shs extensions are visible if you delete
the HKEY_CLASSES_ROOT\ShellScrap\NeverShowExt
value from the registry.

From http://www.netacademia.net/security/nevershowext/showext.vbs
you can download a simple script that deletes these
keys. More info in the source of the script.

[mICK]

----- Original Message -----
From: "j a s o n" <jasonGETCH.NET>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Tuesday, June 20, 2000 7:32 AM
Subject: New SHS worm

> this came through a list i'm subscribed to on monday...
> thought I give a heads up.
> j
>
> Quote:
>
> Stages.A (also known as VBS.Stages.A and VBS/ShellScrap)
> VBS.Stages.A is the first known worm to utilize the SHS filetype (scrap
> file) to transfer its code. Most parts of suspicious strings have been
> encrypted
> using techniques already seen in the VBS.Zulu family.
>
> The worm's code is contained in the file "LIFE_STAGES.TXT.SHS". If this
> file does not exist in the windows startup directory, the worm will
> create the
> file "LIFE_STAGES.TXT" containing the following text:
>
> - The male stages of life:
> Age. Seduction lines.
> 17 My parents are away for the weekend.
> 25 My girlfriend is away for the weekend.
> 35 My fiancee is away for the weekend.
> 48 My wife is away for the weekend.
> 66 My second wife is dead.
> Age. Favorite sport.
> 17 Sex.
> 25 Sex.
> 35 Sex.
> 48 Sex.
> 66 Napping.
> Age. Definiton of a successful date.
> 17 Tongue.
> 25 Breakfast.
> 35 She didn't set back my therapy.
> 48 I didn't have to meet her kids.
> 66 Got home alive.
> - The female stages of life:
> Age. Favourite fantasy.
> 17 Tall, dark and hansome.
> 25 Tall, dark and hansome with money.
> 35 Tall, dark and hansome with money and a brain.
> 48 A man with hair.
> 66 A man.
> Age. Ideal date.
> 17 He offers to pay.
> 25 He pays.
> 35 He cooks breakfast next morning.
> 48 He cooks breakfast next morning for the kids.
> 66 He can chew his breakfast.
>
> If the file containing the worm does not exist in the startup directory,
>
> the worm tries to find the file on the local harddrive and copy it to
> various
> locations to ensure its survival. The worm also creates the file
> "scanreg.vbs", which contains reactivation code. The worm updates the
> registry so that the
> "scanreg.vbs" file is started on every system reboot.
>
> Next, the worm tries to modify parameters from a local ICQ client and
> the modifies the registry information to confuse the user when looking
> at ".SHS"
> type files. When the worm is activated, the default icon for ".SHS"
> files will be the same as for ".txt" files and the extension ".SHS" will
>
> be not shown.
>
> To stop recovery attempts, the worm also tries to rename or move the
> file "regedit.exe" (the registry editor), so that the "runservice"
> registry key
> modification cannot be deactivated. The new filename for the registry
> editor is "recycled.vxd".
>
> The worm then tries to copy itself on all mapped network drives in the
> startup folder of windows. This feature will only be activated when the
> file
> (mentioned earlier) was not found in the local startup directory.
>
> Depending on the value of the registry key:
>
>
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OSName"
>
> the worm will also try to utilize Microsoft Outlook to send itself to
> addresses in the Address Book. The worm uses variable subjects to make
> its detection
> harder.
>
> Possible subjects are:
>
> "Fw: Life Stages"
> "Fw: Funny"
> "Fw: Jokes"
> "Fw: Life Stages text"
> "Fw: Funny text"
> "Fw: Jokes text"
> "Life Stages"
> "Funny"
> "Jokes"
> "Life Stages text"
> "Funny text"
> "Jokes text"
>
> Also, the body text contains random elements. After the e-mail messages
> have been sent, the worm makes sure that the messages do not appear in
> the
> "Sent Items" folder. It also modifies the registry key mentioned earlier
>
> so that the messages will be sent only once.