VBS.Redlof.B
Kaspersky Antivirus Personal
NOD32 Anti-Virus
Command Anti-Virus
McAfee Antivirus Virus Scan
Panda Anti-Virus Titanium & Platinum
Trend PC-cillin Anti-Virus
Norton Anti-Virus
AVG Antivirus
How does anti-virus software work?
What is a trojan horse?
Computer virus (worm)
Malware
protect your network against trojans
Spyware and what you should know about it
Protect your confidential data
Backdoor.Agobot
Win32.Sasser.B
VBS.Redlof.B
How to delete Trojan
How to delete Win32.Worm.Welchia.B
Name: VBS.Redlof.B
Aliases: Redlof.B, VBS/Redlof.B
Type: Script virus
Size: 14,068 bytes
First appeared on: January 2003
Damage: Redlof.B has no destructive effects. It only purpose is to spread
to as many computers as possible.
Redlof.B searches for and infects files with the following extensions: ASP, TML,
HTT, HTM, VBS, PHP and JSP.
Brief Description: Redlof is polymorphic virus that embeds itself without
any attachment to every e-mail sent from the infected system. It executes when
an infected email message is viewed.
To carry out infection, Redlof.B copies its code to HTT files, which are used to
view system folders as Web pages. From that moment on, when the affected user
opens a folder, they will be running the worm without knowing. This worm also
searches for and infects files with the following extensions: ASP, TML, HTT, HTM,
VBS, PHP and JSP.
This worm spreads via e-mail very quickly. To do this, it hides its code in the
file that serves as stationary for all the messages the affected user sends
through the Outlook mail client.
Redlof.B exploits the vulnerability affecting the VM ActiveX component, which
allows a virus to be run simply when a web page that contains the viral code is
viewed. More information about this vulnerability as well as the corresponding
security patch can be found on Microsoft's website.
Visible Symptoms: Redlof.B shows no messages or warnings that indicate
its presence on affected computers.
Technical description: Redlof.B creates the following file:
KERNEL.DLL. This is not a dynamic link library, but a file that contains the
worm's infection code.
KERNEL.DLL or KERNEL32.DLL (depending on the operating system installed on the
system), in the Windows system directiry.
This file tries to pass itself off as a dynamic link library (a file with the
DLL extension). However, it is a copy of the worm. SETUP.TXE, in the directory
Windows/ System32 .
This file contains the worm's encrypted code. INET.VXD, in the directory
Windows/ System32.
This file contains the worm's encrypted code. BLANK.HTM, in the directory
Program Files\Common Files\Microsoft Shared\Stationery\. This is a copy of the
worm.
Redlof.B creates the following entry in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
"Kernel32.dll" C:\ %windir%\ System\
Redlof.B then copies Kernel.dll to computers with Windows ME/98/95 installed and
Kernel32.dll to computers with XP/2000/NT instaled. In this way, Redlof.B
ensures it is run every time Windows is started up. HKEY_CLASSES_ROOT\ dllfile\
shell\ Open\ Command "(Default)" C:\ %windir%\ %TempPath%\ WScript.exe "%1" %*
Through this entry, the worm ensures the file KERNEL32.DLL that it copied to the
system is run. This file is copied to a directory other than that in which the
original file KERNEL32.DLL was found. The worm does not overwite the original
system file.
To infect the system, Redlof.B carries out the following actions:
It copies its code to HTT files, which are used to view system folders as Web
pages. This worm can also infect files with the HTML extension.
From that moment on, when the affected user opens a folder, they will be running
the worm without knowing.
Propagation:
Redlof.B uses e-mail to spread. To do this, it hides its code in the file that
serves as stationary for all the messages the affected user sends through the
Outlook mail client.
Redlof.B exploits the vulnerability affecting the VM ActiveX component, which
allows a virus to be run simply when an HTML page that contains the viral code
is viewed. More information about this vulnerability a well as the corresponding
security patch on Microsoft's website.
Removal tool and instruction: Removal tool is not avalable. This virus is
very hard to delete manually. AntivirusWold recommends you to obtain one
of the following antiviruses:
Nevertheless, you
can try the instructions below.
Note: These instructions are for experienced users only. Try them at your own
risk.
Disabling Web Content
Disable Web Content to prevent this malware from executing further.
-
Open Windows
Explorer, right-click start and click Explore.
-
On the Tools
menu, select Folder Options.
-
Click on
General tab.
-
Under Active
Desktop, select Use Windows classic desktop.
-
Under Web View,
select Use Windows classic folders. Click Apply.
-
Click on View
tab. Under Advanced settings, uncheck Remember each folder's view settings.
Click Apply.
-
Click OK.
-
Close Windows
Explorer.
Removing
Autostart Entries from the Registry
Removing autostart entries from registry prevents the malware from executing
during startup.
-
Open Registry
Editor. Click Start>Run, type REGEDIT then press Enter.
-
In the left
panel, double-click the following: HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\ CurrentVersion\Run
-
In the right
panel, locate and delete the entry: Kernel32 = "%System%\Kernel.dll"
or
Kernel32 = "%System%\Kernel32.dll"
*Where %System% refers to the System folder, which is usually
C:\Windows\System (Windows 9x and ME), or C:\WINNT\System32 (Windows NT and
2000), and C:\Windows\System32 (Windows XP).
-
Close the
Registry Editor.
Addressing
Registry Shell Spawning
Registry shell spawning executes the malware when a user tries to run a DLL
file. The following procedures should restore the registry to its original
state:
-
Open Registry
Editor. Click Start>Run, type REGEDIT.EXE then press Enter.
-
In the left
panel, double-click the following:
-
HKEY_CLASSES_ROOT>dllfile>shell>open
-
Still in the
left panel, select the "open folder" key by right-clicking its folder icon.
Select the Delete command from the pop-up menu.
-
Repeat steps 2
and 3 for the following registry key folders:
-
HKEY_CLASSES_ROOT\dllfile\ScriptEngine
-
HKEY_CLASSES_ROOT\dllfile\shellex
-
HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode
-
Close the
Registry Editor.
Restoring Deleted System file
To enable your system to function properly, restore the file
%System%\Kernel32.dll
using your original Windows installation CD or from a reliable backup source.
Applying Patches
The malware runs on infected systems with unpatched VM ActiveX component
vulnerability. Visit the
Microsoft Security Bulletin (MS00-075)
for patch links and more information on this vulnerability.
by-http://www.antivirusworld.com/
|