Virus Profile: VBS/Redlof@M

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/30/2002
Date Added: 4/30/2002
Origin: Unknown
Length: 11,518 bytes
Type: Virus
Subtype: VBScript worm
DAT Required: 4200
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents

Methods of Infection

This worm exploits a Microsoft Internet Explorer vulnerability to infect .HTM documents and configure email clients to include an infected document along with each message that is sent out.

Aliases

HTML.Redlof.A (Symantec), VBS.Redolf (AVP), VBS/Redlof.dam, VBS_REDLOF.A (Trend)
   

Virus Characteristics

This is a file infecting VBScript that sets a default, infected, stationary file for the Microsoft Outlook and Outlook Express email client programs. It exploits the Microsoft VM ActiveX Component Vulnerability.

The script arrives in an email message, hidden from the user, or can be present on websites that contain infected .HTM files. The virus uses the BODY ONLOAD event to trigger the infection. .HTM, and .HTT files on the local system are infected by appending them with the encrypted, viral code. .HTT files are prepended with the BODY ONLOAD trigger, while this action is placed at the beginning of the virus body in .HTM files. The default mail account is retrieved from the registry and a stationary file is created, "BLANK.HTM", and is set as the default stationary file.

  • HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook Express\
    5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
  • HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook Express\
    5.0\Mail "Wide Stationery Name=C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
    Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\
    0a0d020000000000c000000000000046\001e0360=blank
  • HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\
    MailSettings\NewStationery=blank
The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS SYSTEM directory and a registry run key is created to load the script at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Kernel32=C:\WINDOWS\SYSTEM\Kernel.dll
This is effective due to the fact that several other registry keys are created to re-associate .DLL files with the WSCRIPT.EXE handler.
  • HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
    (Default)=VBScript
  • HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode\
    (Default)={85131631-480C-11D2-B1F9-00C04F86C324}
  • HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\
    (Default)=C:\WINDOWS\WScript.exe "%1" %*
  • HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHandlers\
    WSHProps\(Default)={60254CA5-953B-11CF-8C96-00AA00B8708C}
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations