VBS.Redlof.A

( N/A )

SYMPTOMS:

HTML and VBS infected files have a size increased with +11516 bytes, HTML files and +11160 bytes VBS files.

The size of the file Kernel.dll or Kernel32.dll from system folder (C:\Windows\System or C:\WINNT\System32) is 11160 bytes.

TECHNICAL DESCRIPTION:

The virus infects HTML and VBS files. It is a polymorph virus. It modifies its script at every infection.

It copies itself as Kernel.dll or Kernel32.dll in system folder (C:\Windows\System or C:\WINNT\System32).

It modifies some registry keys in order to execute these files (Kernel.dll or Kernel32.dll) with wscript.exe: every DLL-files will be executed as a script, not as a DLL.

The modified registry keys are:

HKCR\.dll\
with the value dllfile

HKCR\.dll\Content Type
with the value application/x-msdownload

HKCR\dllfile\\DefaultIcon\
with vxdfile DefaultIcon as value

HKCR\dllfile\ScriptEngine\
with the value VBScript

HKCR\dllFile\Shell\Open\Command\
with the value WScript.exe…

HKCR\dllFile\ShellEx\PropertySheetHandlers\WSHProps\

HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\

It also copies itself as Folder.htt in folder web from windows folder and in folder system32 (from windows folder) as desktop.ini.

It appends a modified copy of itself at all HTML and VBS files from the current folder, the windows folder (C:\Winnt or C:\Windows) and the system folder (C:\Windows\System or C:\WINNT\System32).

It also appends itself to all HTML and VBS files from the folder C:\Program Files\Common Files\Microsoft Shared\Stationery.

The virus creates the file:

C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm

and modifies (if they exist) the registry keys:

HKCU\Identities\Software\Microsoft\Outlook Express\Mail\Compose Use Stationery
with the value 1.

HKCU\Identities\Software\Microsoft\Outlook Express\Mail\Stationery Name
with the value C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm.

HKCU\Identities\Software\Microsoft\Outlook Express\Mail\Wide Stationery
with the value C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm.

HKCU\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference
with the value blank.

HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360
with the value blank.

HKCU\Software\Microsoft\Windows\CurrentVersion\Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360
with the value blank.

HKCU\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference
with the value blank.

HKCU\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery
with the value blank.

By modifying these keys, it infects the template for email, so every email sent by the user will contain the virus in HTML form.

Removal instructions:

BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

1. If you don't have BitDefender installed click here to download an evaluation version;


2. Make sure that you have the latest updates using BitDefender Live!;


3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with VBS.Redlof.A.

ANALYZED BY:

Mihaela Stoian BitDefender Virus Researcher