My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Rede.A@mm

LOW
LOW
12288 bytes
(N/A)

Symptoms

-The presence of one of the following files:
C:\Common.exe
C:\Rede.exe
C:\Si.exe
C:\UserConf.exe
C:\disk.exe


-The registry keys:
-[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Rede]
with value "C:\Rede.exe"
-[HKLM\Software\Microsoft\Windows\CurrentVersion\ErrorHandling\Error]
with value "True"

Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the following key:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Rede
      HKLM\Software\Microsoft\Windows\CurrentVersion\ErrorHandling\Error

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Rede.A@mm.

Analyzed By

Sorin Victor Dudea BitDefender Virus Researcher

Technical Description:

This is an Internet Worm that spreads trough e-mail.
It arrives in the following format:

Subject:
One of the following texts:

FW: Security Update by Microsoft.
FW: Microsoft security update.
FW: IT departments on state of HIGH ALERT.
FW: Important news from Microsoft.
FW: Stop terrorists computer viruses reign.
FW: Terrorists release computer virus.
FW: Emergency response from Microsoft Corp.
FW: Terrorist Emergency. Latest virus can wipe disk in minutes.
FW: Microsoft Update. Final Release Candidate.
FW: New computer virus.



Body:

Just recieved this in my email
I have contacted Microsoft and they say it's real !


-----Original Message-----
From: Microsoft Support Desk [mailto:Support@microsoft.com]
Sent: 17 October 2001 15:21
Subject: Security Update
Due to the recent spate of email spread computer viruses
Microsoft Corp has released a security patch.
Please apply the attached file to your Windows computer
to stop any futher spread or these malicious programs.
Regards


Attachment:
One of the files created by the virus.



Microsoft Support


Attachment:
One of the following file names:

Common.exe
Rede.exe
Si.exe
UserConf.exe
disk.exe









After running the attachment the virus copies itself in to the following hidden files:
C:\Common.exe
C:\Rede.exe
C:\Si.exe
C:\UserConf.exe
C:\disk.exe


It adds the following keys in registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Rede]
with value "C:\Rede.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\ErrorHandling\Error]
with value "True"



it shows the following fake message box:






and then it send itself to all e-mail addresses found in Outlook's Address Book in the same format as it arrives.

On 11/11/2001 it will add the following lines to c:\autoexec.bat:

ECHO Bide ye the Wiccan laws ye must, In perfect love and perfect trust.
format C: /autotest


so after reboot it will format automatically the drive C.

The virus contains the following Unicode strings:

When misfortune is enow, wear the blue star on thy brow.
True in love ye must ever be, lest thy love be false to thee.
These words the Wiccan Rede fulfill: An ye harm none, do what ye will.
Rede(c)Si 2001 ... heh, want my phone number too ?!?
Sick of all thes 3rd world gits spreading worms. Time for a bit of Welsh stuff :)