Menu
Virus alert: 'Stages' intruder makes the rounds

Virus alert: 'Stages' intruder makes the rounds

Another e-mail worm, known as vbs_stages.a ,as well as irc_stages.a and shs_stages.a, is quickly making its way through businesses in Asia, North America and Australia, once again affecting Microsoft Outlook systems.

The e-mail appears to contain a joke outlining "The male and female stages of life," but once the attached file is opened, the virus inserts itself into Outlook and spreads itself via Outlook e-mail messages as well as mIRC and Pirch IRC (Internet relay chat) programs.

"This one first became newsworthy -- went to what we call 'yellow alert' -- last Friday," said David Perry, public education director at US-based Trend Micro. "It was in a handful of Fortune 100 companies and it's a fast-replicating virus. Anybody can get it, but because all it really does is replicate, it will only have a big effect on people who are in corporations where there is an Outlook e-mail setup."Stages is an .shs virus and uses SHS files, which are also known as a shell or scrap files, to spread. SHS files are created when a clipping is taken from the middle of a Microsoft Word document and dropped onto the desktop. Perry noted that these are not text files.

"There are two things you have to know about SHS files: [they are] able to contain all of the scripts necessary to stitch the piece of file back into another file, and Windows always suppresses the initials of its extension SHS," Perry explained. "So if you make something called 'Stages.shs.text,' the SHS part is eliminated [in Windows] and it looks like it says 'Stages.txt'. That's just a feature of these scrap files because it's a process that Microsoft doesn't want to advertise is going on for whatever reason. It's supposed to be more transparent that way."Like Melissa and the Love Letter virus, the Stages virus is a very fast replicator and can overload e-mail servers if it hits a company all at once.

The virus is also polymorphic, exposing itself multiple times in different formats to avoid detection, and "is very smart: The letter that comes to you can use several different subject matters, several different body texts, so it's not easy to detect that way," said Perry, adding that other than the replication issues, the virus is not destructive.

TrendMicro has been tracking the virus' spread, which currently holds the number two position on TrendMicro's Top 10 virus list for North America and the number three place on the worldwide Top Ten virus list.

"It has a long way to go to top Love Letter; we don't think it's going to do that," Perry said. "Love Letter had a strong appeal for people to click on it, this one doesn't quite have that. It's not a barn-burner. I really don't want to alarm anybody or shock anybody, but it's serious enough that we need to talk about it [because it's spreading so quickly]."Perry did note that several "really large" Fortune 100 companies have been hit and at least one forced to shut down its network by the Stages virus, which seems to be spreading mostly through corporate e-mail lists where companies have interlocking directories and e-mail lists.

TrendMicro and other anti-virus solutions vendors have updated their anti-virus pattern files for download; Microsoft also has SHS blocking available in its Outlook e-mail security update.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments