E-mail virus spreads in Stages

An e-mail virus disguised as a text file attachment has begun spreading itself widely across the Internet weeks after it was first discovered.

The worm – which arrives as a joke about the various stages of male and female life and comes with many subject headers, including “Funny” and “Life-Stages” – could cause e-mail servers to become clogged because of its ability to quickly copy itself to others via Microsoft Corp.’s Outlook e-mail client once it is launched, antivirus experts warned.

But initial research shows that the worm, which is called Life-Stages.txt.shs, doesn’t damage any files or corrupt data, antivirus experts said.

“It is similar to the Love Letter (virus) in the way it sends itself out to everyone in your e-mail address book,” said Patrick Martin, a product manager for Symantec Corp., referring to the recent ILOVEYOU bug.

“The real risk this one poses is e-mail flooding,” he said. In its assessment of the worm posted on its Web site, Symantec deemed damage from the worm as low, its distribution in the wild as high and the ability of systems administrators to contain the bug as relatively good.

Carnegie Mellon University’s Computer Emergency Response Team (CERT), which posted an alert on the worm, claimed that it had reports of individual users receiving as many as 30 copies of the bug. And some large sites reported as many as 120,000 copies passing through a single server, CERT said.

The Life-Stages.txt.shs virus, which is also known as IRC-Stages. A and SHS-Stages. A, is a so-called Shell Scrap Object file that contains malicious Visual Basic script code, according to a CERT description of the worn.

The file uses a .shs filename extension, which belongs to a group of file extensions that are usually hidden from users by Windows. That allows the worm to appear as an innocent text file on users’ e-mail, even though it contains executable code, McMahon said.

Life-Stages is only the latest in a growing list of malicious programs to take advantage of some Windows default behaviour to hide certain file extensions, according to a separate CERT alert.

Though a user may disable the option to hide some file extensions, the .shs file extension – exploited by the latest worm – is one that continues to remain hidden from the user even after the default option is turned off, CERT warned. The result is that users have no way of knowing if the file contains executable code or not, the CERT report said. CERT recommended steps for users to get around this problem in its alert.