VBS.Stages.A - Worm/Virus

The worm is coded in Visual Basic Script (VBS) language. It spreads by e-mail messages triggered by its own code. The addresees of messages are selected from the address book (first one hundred addresses). The Subject field of the messages can vary. The following subjects are possible: "Life stages", "Funny" or "Jokes". Occasionally the word "text" is added to the aforementioned subject. The body of the message usually reads: "> The male and female stages of life." sometimes followed by a greeting: "Bye.". The worm itself is hidden in the message attachment named: LIFE_STAGES.TXT.SHS. After clicking at this attachment the notepad is open containing the following, somewhat funny content:

The male stages of life:

Age. Seduction lines.
17 My parents are away for the weekend.
25 My girlfriend is away for the weekend.
35 My fiancee is away for the weekend.
48 My wife is away for the weekend.
66 My second wife is dead.

Age. Favorite sport.
17 Sex.
25 Sex.
35 Sex.
48 Sex.
66 Napping.

Age. Definition of a successful date.
17 Tongue.
25 Breakfast.
35 She didn't set back my therapy.
48 I didn't have to meet her kids.
66 Got home alive.

The female stages of life:

Age. Favorite fantasy.
17 Tall, dark and handsome.
25 Tall, dark and handsome with money.
35 Tall, dark and handsome with money and a brain.
48 A man with hair.
66 A man.

Age. Ideal date.
17 He offers to pay.
25 He pays.
35 He cooks breakfast next morning.
48 He cooks breakfast next morning for the kids.
66 He can chew his breakfast.

The worm modifies the system registers - it records itself as a service process executed at the system start-up. Its body is copied into the following directories: MyDocuments, Programs, System, Windows and Recycled disguised as: LIFE_STAGES.TXT, MSINFO16.TLB, MSRCYCLD.DAT, SCANREG.VBS, RCYCLDBN.DAT, DBINDEX.VBS and VBASET.OLB. It also copies itself into available network disks.
Further worm action includes copying of the REGEDIT.EXE file into the RECYCLED directory and renaming it as RECYCLED.VXD.

The worm is also capable of spreading by means of MIRC32 and PIRCH98 programs. To enable this, it creates the SOUND32B.DLL file in WINDOWS directory, or eventually, it creates the EVENTS.INI file in the directory of PIRCH98 program.