Heard the one about the Stages worm?

Large corporations didn't learn anything from the ILOVEYOU worm. Several shut down email systems to cope with the nearly identical Stages worm
Written by Robert Lemos, Contributor

Six weeks after the ILOVEYOU worm hit companies and computer users worldwide, a new worm using the same old tactics invaded several large corporations on Monday.

Both Visa International and Microsoft had shut down email to deal with several infections involving the VBS_STAGES.A worm, sources said Monday.

"The problem is that we are relying on end users," said Dan Schrader, chief security analyst with anti-virus software maker Trend Micro. "There are 30 different files that can be executables. Users cannot keep track of them all. It's time that companies started focusing on a more complete content filtering approach."

Many companies seem to have let security become lax. Despite the Melissa virus attack 15 months ago -- and another rude reminder just six weeks ago by the ILOVEYOU worm -- corporate computers and their users are falling victim to what is quickly becoming an unoriginal ploy.

'Stages' copies the ILOVEYOU worm's tactics almost verbatim.

Posing as a joke file -- rather than an amorous Internet missive -- an infected email attachment, once opened, infects a user's registry and system files with copies of itself. Next, the worm generates an email with one of several randomly chosen subject lines to every address in the user's Microsoft Outlook address book.

Users of other email clients, or users who have patched their Outlook client with Microsoft's new security patch, do not need to worry about spreading the digital disease, although their own PCs can still be infected.

The worm utilises a relatively unknown file format called Windows scrap files. The extension for such a file is normally .SHS, but users will most likely never see the suffix because of a trick virus writers are increasingly using to fool their victims.

According to a CERT advisory released Monday, the security weakness in Windows occurs because the operating system assumes users do not know the extensions for certain file types. Thus, an executible script file (in this case, LIFE_STAGES.TXT.SHS) will appear to be a innocuous text file (such as LIFE_STAGES.TXT).

"A file that appears to be innocent based on its viewable file name may contain malicious executable code," stated the CERT advisory.

Whereas ILOVEYOU deleted files, Stages does not and, in fact, is relatively benign. Future versions created by copycats could easily change that, however.

The worm has mainly infected US computers, according to Trend Micro, whose Virus Tracker showed 430 verified infections among users who checked their PCs with the company's free HouseCall virus checker.

Email service provider MailZone.net caught almost 5,400 copies of the virus from email passing through its system in the past 24 hours. The next most frequent attachment was the G-variant of the ILOVEYOU worm with 4,900 copies.

Microsoft, Visa, and Internet analyst firm Zona Research joined the list of companies hit by the Outlook-client worm on Monday.

A Visa spokesperson who asked not to be identified confirmed that its mail system had been inundated with email containing the virus. The company declined any immediate on-the-record comment. ZDNet News received several emails from Zona Research, indicating that at least two employees at the Internet market research firm had opened the attachment and were infected. Zona also declined comment on the incidents.

Microsoft confirmed its employees had seen the worm but would not confirm reports that its users had been infected.

Trend's Schrader said that, despite the media coverage of such digital infections, users cannot be blamed for the outbreaks.

"Can I blame you if you infect me with a cold? Until we get to the point where we can give users guidelines for simple effective behavior, we cannot blame them," he said.

Take me to the Virus Workshop

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards