Life_Stages Bug Hits AAx Client

This variation on the Melissa worm is a little more clever than others we have seen so far.





We bacame aware one of or clients had been hit with this worm when we found an e-mail in our inbox with an attachment named LIFE_STAGES.TXT.SHS. It had already emailed itself to every recipient in the victim's Outlook address book.

This was a new worm, out only two days, so our client's anti-virus program had not yet been updated to detect it. The worm also applied several clever tricks to assure its rapid propegation.

Microsoft and many other "experts" blame this sort of thing on the user, repeating that users should never open executable attachments without first making a phone call to the sender to see if it is OK. This is just dumb.

We saw LIFE_STAGES.TXT.SHS, because we read our mail on a computer running OS/2. What the victim saw, due to a "user friendly" feature of Windows, was only LIFE_STAGES.TXT. Files of type .TXT (plain text) are perfectly safe to open. Further, the file came from a known source. And anyway, who would know a file type .SHS (scrap file) was executable even if they could see it?

The Life Stages joke actually works normally. Our victim thought it was amusing, so she forwarded it to some friends. She got a call from a software vendor asking if she had sent that e-mail and attachment. She told the caller she must have accidently selected her while forwarding it to a bunch of other people. If the caller opened it too, who could blame her? Known source, telephone confirmation, safe .TXT type. Bingo.

Another clever thing LIFE_STAGES does, is put its executables in the recycle bin, and it runs them from there. This is because Microsoft has neglected to put any security measures at all on the recycle bin. Cool.

LIFE_STAGES makes changes to the registry, and also erases the REGEDIT.EXE program so you don't have the tool needed to examine or repair the registry. You have to reinstall Windows or get REGEDIT from another machine. Even a reinstall of Windows doesn't fix everything, you still have to hand edit the registry.

This is just the prelude, folks. From here on out, these bugs will be getting cleverer and more destructive. As long as you use Windows, MS Office and (especially) Outlook, you are highly vulnerable. They can get you before you even know they exist.

Microsoft has provided a security fix for Outlook, but it has its own problems. Check our news item Microsoft Security Fix has Problems for more.

©:Andrew Grygus - Automation Access - -
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners