Home |General forums | Blackmagik | Hypnotism | Tantra | Spiritual Shopping |

 | Kundalini | Yoga | KSP Healing | Healthy recipes | General knowledge | World-Geography | Computernet | Spiritual keywords | Biology info | Health and Medicine | Become a free magazine member |

| Physical Science | Psychology | Add URL | Forums | Register for hypnotism course at Mumbai-Delhi | Business | Fitness | Health |

Hypno photo gallery | Ghosting hunting gallery | Pujan photo gallery | franchiseEarn money | Spiritual Store | Free Horoscope
Learn  Hypnotism - Reiki - Pranik healing - Meditation - Kundalini - Aura Reading - Distance healing - Photo therapy - Nanda Branha - Astrology. .... contact-09224399275 / 022-65882857.

Contact to Acharya ji
Aroma Therapy
Astrology
Aura Reading
Candle Therapy
Chelation  Therapy
Hypnotism
Feng Shui
Handwriting Analysis
I Ching
Light Therapy
Massage Therapy
Chinese Food Therapy
Colour Therapy
Diet Therapy
Glandular Therapy
Herbal Therapy
Hydro Therapy
Meditation
Music Therapy
N.L.P
Pranik Therapy
Prayer Therapy
Shiatsu
Sound Therapy
Telepathy
Urine Therapy
Upavasa  (Fasting)
Yoga Therapy
Eastern Gemology
Vastushastra
Magnet Therapy
Disease
Canker Sores
Cold
Dandruff
Depression
Diabetes
Earache
Food Allergies
Hair Loss
Headache
Hearing Problem
Heart Attack

VBS.Redlof.B

Kaspersky Antivirus Personal    NOD32 Anti-Virus    Command Anti-Virus   McAfee Antivirus Virus Scan   Panda Anti-Virus Titanium & Platinum   Trend PC-cillin Anti-Virus   Norton Anti-Virus   AVG Antivirus   How does anti-virus software work?    What is a trojan horse?     Computer virus (worm)    Malware   protect your network against trojans     Spyware and what you should know about it     Protect your confidential data     Backdoor.Agobot    Win32.Sasser.B    VBS.Redlof.B     How to delete Trojan   How to delete Win32.Worm.Welchia.B

Name: VBS.Redlof.B

Aliases: Redlof.B, VBS/Redlof.B

Type: Script virus

Size: 14,068 bytes

First appeared on: January 2003

Damage: Redlof.B has no destructive effects. It only purpose is to spread to as many computers as possible.

Redlof.B searches for and infects files with the following extensions: ASP, TML, HTT, HTM, VBS, PHP and JSP.

Brief Description: Redlof is polymorphic virus that embeds itself without any attachment to every e-mail sent from the infected system. It executes when an infected email message is viewed.

To carry out infection, Redlof.B copies its code to HTT files, which are used to view system folders as Web pages. From that moment on, when the affected user opens a folder, they will be running the worm without knowing. This worm also searches for and infects files with the following extensions: ASP, TML, HTT, HTM, VBS, PHP and JSP.

This worm spreads via e-mail very quickly. To do this, it hides its code in the file that serves as stationary for all the messages the affected user sends through the Outlook mail client.

Redlof.B exploits the vulnerability affecting the VM ActiveX component, which allows a virus to be run simply when a web page that contains the viral code is viewed. More information about this vulnerability as well as the corresponding security patch can be found on Microsoft's website.

Visible Symptoms: Redlof.B shows no messages or warnings that indicate its presence on affected computers.

Technical description: Redlof.B creates the following file:

KERNEL.DLL. This is not a dynamic link library, but a file that contains the worm's infection code.

KERNEL.DLL or KERNEL32.DLL (depending on the operating system installed on the system), in the Windows system directiry.

This file tries to pass itself off as a dynamic link library (a file with the DLL extension). However, it is a copy of the worm. SETUP.TXE, in the directory Windows/ System32 .

This file contains the worm's encrypted code. INET.VXD, in the directory Windows/ System32.

This file contains the worm's encrypted code. BLANK.HTM, in the directory Program Files\Common Files\Microsoft Shared\Stationery\. This is a copy of the worm.

Redlof.B creates the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run "Kernel32.dll" C:\ %windir%\ System\

Redlof.B then copies Kernel.dll to computers with Windows ME/98/95 installed and Kernel32.dll to computers with XP/2000/NT instaled. In this way, Redlof.B ensures it is run every time Windows is started up. HKEY_CLASSES_ROOT\ dllfile\ shell\ Open\ Command "(Default)" C:\ %windir%\ %TempPath%\ WScript.exe "%1" %*

Through this entry, the worm ensures the file KERNEL32.DLL that it copied to the system is run. This file is copied to a directory other than that in which the original file KERNEL32.DLL was found. The worm does not overwite the original system file.

To infect the system, Redlof.B carries out the following actions:

It copies its code to HTT files, which are used to view system folders as Web pages. This worm can also infect files with the HTML extension.

From that moment on, when the affected user opens a folder, they will be running the worm without knowing.

Propagation:

Redlof.B uses e-mail to spread. To do this, it hides its code in the file that serves as stationary for all the messages the affected user sends through the Outlook mail client.

Redlof.B exploits the vulnerability affecting the VM ActiveX component, which allows a virus to be run simply when an HTML page that contains the viral code is viewed. More information about this vulnerability a well as the corresponding security patch on Microsoft's website.

Removal tool and instruction: Removal tool is not avalable. This virus is very hard to delete manually. AntivirusWold recommends you to obtain one of the following antiviruses:

Nevertheless, you can try the instructions below.

Note: These instructions are for experienced users only. Try them at your own risk.

Disabling Web Content

Disable Web Content to prevent this malware from executing further.

  • Open Windows Explorer, right-click start and click Explore.

  • On the Tools menu, select Folder Options.

  • Click on General tab.

  • Under Active Desktop, select Use Windows classic desktop.

  • Under Web View, select Use Windows classic folders. Click Apply.

  • Click on View tab. Under Advanced settings, uncheck Remember each folder's view settings. Click Apply.

  • Click OK.

  • Close Windows Explorer.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup.

  • Open Registry Editor. Click Start>Run, type REGEDIT then press Enter.

  • In the left panel, double-click the following: HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\ CurrentVersion\Run

  • In the right panel, locate and delete the entry: Kernel32 = "%System%\Kernel.dll"
    or
    Kernel32 = "%System%\Kernel32.dll"
    *Where %System% refers to the System folder, which is usually C:\Windows\System (Windows 9x and ME), or C:\WINNT\System32 (Windows NT and 2000), and C:\Windows\System32 (Windows XP).

  • Close the Registry Editor.

Addressing Registry Shell Spawning

Registry shell spawning executes the malware when a user tries to run a DLL file. The following procedures should restore the registry to its original state:

  • Open Registry Editor. Click Start>Run, type REGEDIT.EXE then press Enter.

  • In the left panel, double-click the following:

  • HKEY_CLASSES_ROOT>dllfile>shell>open

  • Still in the left panel, select the "open folder" key by right-clicking its folder icon. Select the Delete command from the pop-up menu.

  • Repeat steps 2 and 3 for the following registry key folders:

  • HKEY_CLASSES_ROOT\dllfile\ScriptEngine

  • HKEY_CLASSES_ROOT\dllfile\shellex

  • HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode

  • Close the Registry Editor.

Restoring Deleted System file

To enable your system to function properly, restore the file
%System%\Kernel32.dll
using your original Windows installation CD or from a reliable backup source.

Applying Patches

The malware runs on infected systems with unpatched VM ActiveX component vulnerability. Visit the Microsoft Security Bulletin (MS00-075) for patch links and more information on this vulnerability.

by-http://www.antivirusworld.com/

Spiritual Shopping

 
 
 

 | Physical Science | Psychology |  Site Map

 Info Article  Devinfoware Dhyansanjivani Mantra vidya

We at Dhyansanjivani are group of spiritualists, with non commercial purpose. Looking out to spread the message of spirituality through our web site. If you have any matter, articles, point of view or message to share with everybody. You can do so with the help of  www.dhyansanjivani.org  See our Rules and regulations

Kindly note;- Dear visitors, it has come to our notice that people are posting   articles to us ,these articles are borrowed/copied without the writer's consent. if you do so kindly write the website address/the author's name/and your email address. failing which your article will not be posted. Others who have written original articles need not worry about the matter, You can also notify us if any kind of articles have been copied from your website. We will look into the matter personally and add your relevant details. Disputes arising from this matter  will be settled in the Mumbai judiciary. Any enquiry contact dhyansanjivani_1965@ yahoo.com