X
Tech

Heard the one about the Stages worm?

Large corporations didn't learn anything from the ILOVEYOU worm. Several shut down e-mail systems to cope with the nearly identical Stages worm.
Written by Robert Lemos, Contributor
Six weeks after the ILOVEYOU worm hit companies and computer users worldwide, a new worm using the same old tactics invaded several large corporations on Monday.

Both Visa International and Microsoft Corp. (msft) had shut down e-mail to deal with several infections involving the VBS_STAGES.A worm, sources said on Monday.

"The problem is that we are relying on end users," said Dan Schrader, chief security analyst with anti-virus software maker Trend Micro Inc. (tmic) "There are 30 different files that can be executables. Users cannot keep track of them all. It's time that companies started focusing on a more complete content filtering approach."

Many companies seem to have let security become lax. Despite the Melissa virus attack 15 months ago -- and another rude reminder just six weeks ago by the ILOVEYOU worm -- corporate computers and their users are falling victim to what is quickly becoming an unoriginal ploy.

"Stages" copies the ILOVEYOU worm's tactics almost verbatim.

Posing as a joke file -- rather than an amorous Internet missive -- an infected e-mail attachment, once opened, infects a user's registry and system files with copies of itself. Next, the worm generates an e-mail with one of several randomly chosen subject lines to every address in the user's Microsoft Outlook address book.

Users of other e-mail clients, or users who have patched their Outlook client with Microsoft's new security patch, do not need to worry about spreading the digital disease, although their own PCs can still be infected.

The worm utilizes a relatively unknown file format called Windows scrap files. The extension for such a file is normally .SHS, but users will most likely never see the suffix because of a trick virus writers are increasingly using to fool their victims.

According to a CERT advisory released Monday, the security weakness in Windows occurs because the operating system assumes users do not need to know the extensions for certain file types. Thus, an executible script file (in this case, LIFE_STAGES.TXT.SHS) will appear to be a innocuous text file (such as LIFE_STAGES.TXT).

'A file that appears to be innocent based on its viewable file name may contain malicious executable code.'|CERT advisory "A file that appears to be innocent based on its viewable file name may contain malicious executable code," stated the CERT advisory.

Whereas ILOVEYOU deleted files, Stages does not and, in fact, is relatively benign. Future versions created by copycats could easily change that, however.

The worm has mainly infected U.S. computers, according to Trend Micro, whose Virus Tracker showed 430 verified infections among users who checked their PCs with the company's free HouseCall virus checker.

E-mail service provider MailZone.net caught almost 5,400 copies of the virus from e-mail passing through its system in the past 24 hours. The next most frequent attachment was the G-variant of the ILOVEYOU worm with 4,900 copies found.

Microsoft, Visa, and Internet analyst firm Zona Research Inc. joined the list of companies hit by the Outlook-client worm on Monday.

A Visa spokesperson who asked not to be identified confirmed that its mail system had been inundated with e-mail containing the virus. The company declined any immediate on-the-record comment.

ZDNet News received several e-mails from Zona Research, indicating that at least two employees at the Internet market research firm had opened the attachment and were infected. Zona also declined comment on the incidents.

Microsoft confirmed its employees had seen the worm but would not confirm reports that its users had been infected.

Trend's Schrader said that, despite the media coverage of such digital infections, users cannot be blamed for the outbreaks.

"Can I blame you if you infect me with a cold? Until we get to the point where we can give users guidelines for simple effective behavior, we cannot blame them," he said.

Editorial standards