-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2000.08  --  AUSCERT ALERT
                               Stages VBS Worm
                                20 June 2000

===========================================================================

PROBLEM:  

	AusCERT has received information of a new virus known as Stages VBS
	worm.  This worm propagates itself using a variety of installed
	software such as Microsoft Outlook, mIRC, Pirch and mapped network
	drives.

	When the virus propagates itself via e-mail, it uses variable
	subject lines which currently include such words as "Funny",
	"Jokes" and "Life Stages".

	Currently, the virus is included in an attachment with the name
	"LIFE_STAGES.TXT.SHS".  The virus makes itself harder to detect
	by having the file extension .SHS, which by default is not shown.
	Thus this attachment will appear as a .TXT file, possibly deceiving
	users into believing the virus is a harmless text file.

	More detailed information regarding this virus, its impact,
	propagation and recovery can be found in the links in the
	Recommendations section.

	As is typical with this type of incident, there are generally
	numerous mutations of this worm for several weeks afterwards.
	AusCERT recommends a heightened state of awareness and caution
	with any e-mail attachments that are received in the next few
	weeks.

	AusCERT has received reports of infection among member sites within
	Australia or New Zealand, as well as reports of the worm from
	collaborating security organisations in other countries.  We are
	issuing this warning to draw members' attention to the potential
	for increased activity in Australia and New Zealand.

IMPACT:   

	Mail servers may suffer increased load as the worm propagates
	making those servers unstable or unusable.  An infected
	organisation's profile may also be damaged due to the organisation
	being seen as one of the propagators of the worm.  In addition,
	to make recovery from the virus more difficult it may rename or
	remove the REGEDIT.EXE file.

RECOMMENDATIONS: 

	A. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defenses and either delete or do not open any email messages or
	attachments that resemble the e-mail listed above.

        B. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:

	  http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html
	  http://www.cai.com/virusinfo/virusalert.htm#stages.a
          http://www.sophos.com/virusinfo/analyses/vbsstagesa.html
          http://www.f-secure.com/v-descs/stages.htm
          http://vil.mcafee.com/dispVirus.asp?virus_k=98668
          http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS_STAGES.A

	C.  Microsoft Outlook E-Mail Security Update

	The following Microsoft update may be beneficial to Outlook users
	and administrators - "Protect Against Viruses with the Outlook
	E-mail Security Update":

	  http://officeupdate.microsoft.com/2000/downloadDetails/Out2ksec.htm
	  http://officeupdate.microsoft.com/2000/articles/Out2ksecFAQ.htm

	Administrator information for using this security update is
	available from:

	  http://support.microsoft.com/support/kb/articles/Q263/2/97.asp

	AusCERT is continuing to monitor this problem. 

- ---------------------------------------------------------------------------
For more information contact please contact your anti-virus vendor.
- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOXXWKSh9+71yA2DNAQHSHAP8DCl9CS+m+wKSeFOXFnSjOK8MYUSOY93k
STRaFrt0c9j7B6p3IgEnCqvHeHO/FmxwlZjjoDVZc4/3ceU4pB3yxEpW/S9RkvF/
H5RIeedJnyMRhHPVmhXdgQw+9eLDX8clFe0Rkp4wsm9lefBW/3xbhoGNpr+Euzl5
dky7n6IeWQI=
=KExm
-----END PGP SIGNATURE-----