'Stages.worm' on the loose

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2589845,00.html

By Bob Sullivan, MSNBC
June 19, 2000 6:06 AM PT

British and U.S. firms were infected with a computer virus this
weekend that arrives via e-mail and convincingly masquerades as an
innocent plain text file. The bug, called "Stages.worm," does not
damage computer files but can shut down corporate e-mail servers.

While there is some concern that employees arriving on Monday morning
may be fooled into opening e-mail that carries the bug, anti-virus
companies tell MSNBC that a wide-scale outbreak is not expected.

"We're going to find out on Monday," said Dan Shrader, spokesperson
for anti-virus firm Trend Micro. He said two large aerospace companies
were hit with the virus on Friday afternoon, and one of the largest
companies in the country was infected on Saturday. Still, he said, "as
of Friday (it) didn't look like it was going to be a huge situation."

The virus is particularly tricky because it utilizes a rare file
format called "windows scrap files." The extension for this file type,
which should be ".shs," never appears. That means it's easy to make a
scrap file appear to be another file type; Stages.worm arrives ending
with the letters ".txt," suggesting that it's a text file.

Internet users are advised not to open attachments they did not expect
to receive, no matter what the file extension may appear to be.

"If you didn't expect it, you should check with the sender before you
open any attachment, no matter what the extension is," said Mary
Landesman, spokesperson for anti-virus firm Command Software Systems
Inc.

The virus was apparently authored by a familiar Argentinian virus
writer named "Zulu" and was released May 26. But the first infections
were not found until Friday.

"I don't see anything indicating a widespread release," Landesman
said. Her firm had found only four infected companies by Sunday. "But
that doesn't mean it's not sitting in a lot of people's inboxes. ...
It is a holiday weekend."

"Stages.worm" spreads like the Melissa virus and the Love Bug, sending
copies of itself to e-mails listed in the victim's Microsoft Outlook
address book. But the virus sends out a maximum of 100 copies each
time.

It arrives with one of several randomly chosen subject lines. One
sample has in the subject line "Funny"; the body of the message reads,
"The male and female stages of life," and the attachment is named
"Life_Stages.txt." Other possible subject lines are: "life_stages,"
"jokes" and "text."

After infection, the worm does display humorous text:

The male stages of life:

Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.

Age. Favorite sport.

17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.

Age. Definiton of a successful date.

17 Tongue.
25 Breakfast.
35 She didn't set back my therapy.
48 I didn't have to meet her kids.
66 Got home alive.

The female stages of life:

Age. Favourite fantasy.
17 Tall, dark and hansome.
25 Tall, dark and hansome with money.
35 Tall, dark and hansome with money and a brain.
48 A man with hair.
66 A man.

Age. Ideal date.

17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".