ACCC Home Page Academic Computing and Communications Center  
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 
The A3C Connection, 2001-2002, Number 1 The ACCC Home Page The A3C Connection
2001-2002, Number 1 Contents What's New at the ACCC Managing Your ACCC Email (Quotas) Figure 1: Quota, Download, Delete Tool for icarus and tigger Figure 2: Quota, Download, Delete Tool for mailserv
Statistical Tools of the Trade Disk Space on borg Repeated Infections with a Particular Virus About the A3C Connection  

Repeated Infections with a Particular Virus

 
The Head Crash
Windows WWW Everyone

Question: [This question was asked by a departmental "resident expert" who shares the responsibility of maintaining the other machines in their department.] The VBS.Stages.A virus has been detected on my PC by Norton AntiVirus (NAV) with ever-increasing frequency over the past few months. I've been running a Norton scan every week, sometimes more if I'm having problems loading databases, very slow response time, and each time Norton has found from a few to 640 (yesterday) infections. The files affected are mostly in the Windows temporary directory with .dat extensions. Norton quarantined them, and because my system is running so slow now, I'm wondering if I should permanently delete them.

Has anyone else experienced this and what solutions can you offer?

Answer: Here is the info from Symantec: "This worm appears as an attachment named Life_stages.txt.shs. When you run the attachment it opens a text file in Notepad. The text file describes the male and female stages of life. While you are reading the text file, a script is running in the background. This worm spreads itself using Outlook, ICQ, mIRC, and PIRCH." (From http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html) The fix is at: http://www.symantec.com/avcenter/venc/data/fix.vbs.stages.html

It appears that something in your office (or an associate's office) is spreading this infection. If you agree that you have NAV on all your machines, and if they are scanned and up to date with their virus definitions, then either you are missing a machine somewhere (someone's laptop?) or someone that you deal with often is giving these viruses to you.

The fact that Stages is old and that it spread pretty far and fast, means it's likely that the ACCC is filtering it from the outside. [We are now, but we weren't when this exchange took place.] So, unless you are using the MS Exchange VirusEngine for mail, someone on campus is probably sending this virus to you.

If I were you, I would (preferably on a weekend):

  • Run Norton Antivirus's LiveUpdate to get the newest NAV virus definitions and scan all my machines with NAV.
  • Run the Stages fix utility on all my machines. [At the Symantec link above.]
  • Set up preventative measures. Depending on your department's infrastructure, this could be default filters on client machines in your office that filter all email attachments with the extension .shs to the trash, or server email filters that delete all messages with .shs attachments. (The later would obviously have to be done with the help of your clients.)
  • I'd also use this time to run Windows Update on all my machines to prevent other infections and security breaches. [Windows Update is a Microsoft Web site that checks your Windows operating system and Internet Explorer for both necessary and optional updates. Just visit http://windowsupdate.microsoft.com/ and, with your permission, it will check your machine and offer a list of updates that you may choose to install if you wish. Install every "required security update."]

Or... you could skip the above steps and just take a weekend to install Macs in your department. That's not good for tech job security though. ;-)

As for whether you should delete the quarantined virus files? Of course! Only virus researchers have any reason to keep viruses hanging around. You should have NAV's Realtime File Protection [figure 5] -- Microsoft Exchange Realtime Protection if you use Exchange -- running all the time. That will keep you from getting infected from a known virus like Stages in the first place.

Figure 5: Setting Up Norton Realtime File Protection

If you don't already have Norton AntiVirus, install it (http://www.accc.uic.edu/software/antivirus/; for installation instructions, see http://www.uic.edu/depts/accc/software/nskit/uionline.pdf.)

The NAV install program turns on Realtime File Protection by default. If you already have NAV installed, select Start->Programs->Norton AntiVirus->Norton AntiVirus Corporate Edition, then click Configure->File System Realtime Protection in the box on the left. Make sure it's set up as shown.
illustration of setup for NAC File System Realtime Protection

Steven Bandyk, sbandyk@uic.edu
ACCC Micro Repair Supervisor

[Can you tell that Steven is one of the ACCC's resident Mac experts?]

  
The A3C Connection, 2001-2002, Number 1 Previous:  Disk Space on borg Next:  About the A3C Connection

2002-6-4  connect@uic.edu
UIC Home Page Search UIC Pages Contact UIC