Stages

An E-mail worm believed to be the first to use the scrap file format to spread. Before going further, let's first look at what a scrap file is...

Scrap Files.

A scrap file is a type of file used to transfer objects between programs on Windows computers. A scrap file can contain just about anything from simple data, to a document or spreadsheet, to an executable program.

The scrap file can be named with most any extension to make it look like a benign file (e.g., .GIF, .JPG, .TXT, etc.) and then Windows adds the .SHS extension to that. In most cases, even if you have Windows set to show all file extensions, the .SHS extension will not show up after you've saved the file to disk (it should be visible as an attachment to an E-mail message). This can make scrap files more dangerous as they can easily appear to be something they are not just by giving the file a benign name.

Windows assigns "RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1" to the .SHS extension by default and, when opened, Windows will unpack the scrap file and open or execute whatever is in the file. You will have no control over this once you attempt to open the scrap file.

There is really never any reason for anyone to send you a scrap file. If you ever receive one via E-mail you should delete it without attempting to open it. Tell the sender to send you the actual object instead if you think there was something useful involved. The main reason is that scrap files can easily hide code without any indication of what that code really represents so there is no guarantee the scrap file will be what you think it is.

Advanced note: The display of the .SHS extension is controlled by the following registry entry...

HKEY_CLASSES_ROOT\ShellScrap
"NeverShowExt"=""

If you want to experiment [Computer Knowledge takes no responsibility if you do!] you can either change "NeverShowExt" to "AlwaysShowExt" or simply delete the entry. Then, reboot and .SHS files should show their extension even when saved to disk.

VBS/Stages Worm

This is an E-mail worm that spreads via Outlook and mIRC or Pirch IRC chat.

E-mail copies are sent (once only) via the Outlook address book and subjects are constructed from the following list of terms: "Fw:", "Life Stages", "Funny", "Jokes", and " text".

The message itself may contain "The male and female stages of life." The attachment (the worm itself) is in a file named LIFE_STAGES.TXT.SHS (again, like many before it, note the double extension; you should be able to see it in your E-mail program but not after saving the file to disk--see discussion above).

This is the first worm known to use the scrap file (SHS) file type to send its code. When run, the worm creates and displays the file LIFE_STAGES.TXT containing humourous text about stages of life (the text is below).

• The male states of life:
  • Seduction Lines:
    age 17: "My parents are away for the weekend."
    age 25: "My girlfriend is away for the weekend."
    age 35: "My fiancée is away for the weekend."
    age 48: "My wife is away for the weekend."
    age 66: "My second wife is dead."
  • Favorite sport:
    age 17: Sex
    age 25: Sex
    age 35: Sex
    age 48: Sex
    age 66: Napping
  • Definition of a successful date:
    age 17: Tongue
    age 25: Breakfast
    age 35: She didn't set back my therapy
    age 48: I didn't have to meet her kids
    age 66: Got home alive
• The female stages of life:
  • Favorite fantasy:
    age 17: Tall, dark and handsome
    age 25: Tall, dark and handsome with money
    age 35: Tall, dark and handsome with money and a brain
    age 48: A man with hair
    age 66: A man
  • Ideal date:
    age 17: He offers to pay
    age 25: He pays
    age 35: He cooks breakfast next morning
    age 48: He cooks breakfast next morning for the kids
    age 66: He can chew his breakfast

The worm then creates the file SCANREG.VBS with its code and sets the registry so SCANREG.VBS runs at each startup.

It also moves the program REGEDIT.EXE to the recycled directory and changes its name to RECYCLED.VXD (this is an attempt to keep you from editing the registry to remove the worm).

The default icon for .SHS files will also be reset to the default icon for text files and .SHS not shown.

Expect many variants of this type of attack; probably with payloads.

Now, let's divert a bit and see where all this came from...