My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

VBS.Redlof.A

MEDIUM
LOW
+11516 bytes (in HTML files), +11160 bytes (in VBS-files)
(N/A)

Symptoms

  • HTML and VBS infected files have a size increased with +11516 bytes, HTML files and +11160 bytes VBS files.

  • The size of the file Kernel.dll or Kernel32.dll from system folder (C:\Windows\System or C:\WINNT\System32) is 11160 bytes.
  • Removal instructions:

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with VBS.Redlof.A.

    Analyzed By

    Mihaela Stoian BitDefender Virus Researcher

    Technical Description:

    The virus infects HTML and VBS files. It is a polymorph virus. It modifies its script at every infection.

    It copies itself as Kernel.dll or Kernel32.dll in system folder (C:\Windows\System or C:\WINNT\System32).

    It modifies some registry keys in order to execute these files (Kernel.dll or Kernel32.dll) with wscript.exe: every DLL-files will be executed as a script, not as a DLL.

    The modified registry keys are:

    HKCR\.dll\
    with the value dllfile

    HKCR\.dll\Content Type
    with the value application/x-msdownload

    HKCR\dllfile\\DefaultIcon\
    with vxdfile DefaultIcon as value

    HKCR\dllfile\ScriptEngine\
    with the value VBScript

    HKCR\dllFile\Shell\Open\Command\
    with the value WScript.exe…

    HKCR\dllFile\ShellEx\PropertySheetHandlers\WSHProps\

    HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\

    It also copies itself as Folder.htt in folder web from windows folder and in folder system32 (from windows folder) as desktop.ini.

    It appends a modified copy of itself at all HTML and VBS files from the current folder, the windows folder (C:\Winnt or C:\Windows) and the system folder (C:\Windows\System or C:\WINNT\System32).

    It also appends itself to all HTML and VBS files from the folder C:\Program Files\Common Files\Microsoft Shared\Stationery.

    The virus creates the file:

    C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm

    and modifies (if they exist) the registry keys:

    HKCU\Identities\Software\Microsoft\Outlook Express\Mail\Compose Use Stationery
    with the value 1.

    HKCU\Identities\Software\Microsoft\Outlook Express\Mail\Stationery Name
    with the value C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm.

    HKCU\Identities\Software\Microsoft\Outlook Express\Mail\Wide Stationery
    with the value C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm.

    HKCU\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference
    with the value blank.

    HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\
    Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360

    with the value blank.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Windows Messaging Subsystem\Profiles\
    Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360

    with the value blank.

    HKCU\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference
    with the value blank.

    HKCU\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery
    with the value blank.

    By modifying these keys, it infects the template for email, so every email sent by the user will contain the virus in HTML form.