Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another new worm???

From: ken () KWILLIAMS ORG (Kenneth Williams)
Date: Mon, 19 Jun 2000 19:55:02 -0700

This is a known worm.   "IRC/Stages.worm" It takes advantage of the fact
that .shs extensions are not normally displayed by Windows.

Ken Williams
"NO I AM NOT THAT KEN WILLIAMS!!!"
I am the one who is with the deathstar

----- Original Message -----
From: "Pierre Vandevenne" <pierre () datarescue com>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Monday, June 19, 2000 7:18 PM
Subject: Re: Another new worm???


On Mon, 19 Jun 2000 09:49:54 EDT, Studio1057 () AOL COM wrote:


Hello all,

This morning I am getting a lot of mail with attachments. Trends are:
No from and to appears in the header
Attachments have .SHS extension (??!!)
the subject is either :Jokes", or "Funny: Jokes text", or "Life stages".
Funny text does not show the attachment. The rest are .txt.shs

extensions,

the filename is the subject line but in all caps.
Any ideas? I am planning to clip a copy of all the "variations" I'm

getting

to check out what is going on. Unless of course somebody else has already
done so in which case I am anxiously awaiting what you guys cme up with.


You are infected by a VBS worm, known as stages or scrapworm.
Update your anti-virus or get one ;-)


c:\temp\met\life_stages.txt.shs
Infection: 'I-Worm.Scrapworm' [AVP]


http://www.sophos.com/virusinfo/analyses/vbsstagesa.html
http://www.f-secure.com/v-descs/stages.htm

---
http://www.datarescue.com/idabase/ida.htm
IDA Pro 4.1 - Yes, we have done it again !
Previous By Date Next
Previous By Thread Next

Current thread: