WARNING! VIRUS!

Glen mclilith at ezwv.com
Tue Nov 14 13:54:24 CET 2000 

At 11:40 PM 11/13/00 , patchell wrote:
>    And the question I have, is which attachent was the virus in?  There was
>a text attachement (my brouser said plain text), which I opened, and a second
>attachment, which I did not open.

I have renamed the attachment on my system, but the original name of it was
something like the following:

  Life_Stages.txt.shs

I can't remember if this is the exact name, but I do remember that the file
had the ".txt.shs" extension, when I saw the link to open it from my email
program, Eudora Pro. However, when I looked at this file with Windows
Explorer, it only had the ".txt" extension, and the ".shs" extension was
hidden. (Yes, I do have the options set in Windows Explorer to always show
extensions, but for some reason, Windows didn't want to show this
particular extension. It's things like this, that make me hate Windows.) I
renamed the file to "worm.txt" before I opened it in "edit".

If you open it with a text editor, (Please do not do this! I don't want
anyone to accidently get infected.) you will find the following text
fragment amidst some sort of windows scripting program:

  MIRC/NETWORK/OUTLOOK/PIRCH.ShellScrapWorm by SimpleSimon / Zulu

I have read the file using the DOS program "edit", and it appears to be
some sort of script, but it is not entirely ASCII. There is some binary
data in the file as well. If you open the file in a Windows editor, you
will find it impossible to scroll to the bottom of the file, for some
reason. If you open it in DOS, using "edit", then you can actually read the
whole file. I'm not really a programmer, so I can't figure out what it is
supposed to do. In the script, I saw references to Visual Basic Script,
Networking, and Outlook. In my opinion, this is another reason for me to
not use Outlook Express, as it seems to be targeted by this worm.

I have one question: What on earth is a "shell scrap object" file
(extension ".SHS") anyway? Windows explorer is configured to open them
using RUNDLL32. I did a complete scan of my hard drive and there are
currently no files on my system with the ".SHS" extension. Could I safely
delete this registered file type and it's RUNDLL32 association?

Later,
Glen Berry

More information about the Synth-diy mailing list