VBS/Redlof-A

Discussion in 'malware problems & news' started by FanJ, May 23, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: VBS/Redlof-A
    Type: Visual Basic Script virus
    Date: 23 May 2002


    At the time of writing Sophos has received just one report of
    this virus from the wild.

    Description:

    VBS/Redlof-A infects HTM, HTML, ASP, PHP, JSP, HTT and VBS files
    by appending a VBScript that contains an encrypted copy of the
    virus code to them.

    The virus exploits the Microsoft VM ActiveX component
    vulnerability enabling the virus to be activated by viewing an
    infected HTML document at a remote site.

    VBS/Redlof-A will attempt to propagate via email sent by the
    infected user. This is achieved by infecting blank.htm, the
    default stationery file for Microsoft Outlook or Outlook
    Express. This file is commonly found in the folder
    C:\Program Files\Common Files\Microsoft Shared\Stationery\ .
    An appropriate registry entry is edited to ensure that the
    infected user includes the default stationery file when they
    compose an email.

    The registry entries targeted are:

    HKCU\Identities\<DefaultId>\Software\Microsoft\
    Outlook Express\<OutlookVersion>\Mail\Compose Use Stationery,

    HKCU\Identities\<DefaultId>\Software\Microsoft\
    Outlook Express\<OutlookVersion>\Mail\Stationery Name,

    HKCU\Identities\<DefaultId>\Software\Microsoft\
    Outlook Express\<OutlookVersion>\Mail\Wide Stationery Name,

    HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\
    Microsoft Outlook Internet Settings\
    0a0d020000000000c000000000000046\001e0360,

    HKCU\Software\Microsoft\Windows NT\CurrentVersion\
    Windows Messaging Subsystem\Profiles\
    Microsoft Outlook Internet Settings\
    0a0d020000000000c000000000000046\001e0360,

    and

    HKCU\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery.

    An infected VBScript is dropped to the Windows system folder
    with the name kernel.dll. This file is pointed to by the
    registry entry

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32

    so that it is executed when Windows is started up. The virus
    also modifies the registry entries

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\.dll

    and

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dllfile

    so that files with DLL extensions are executed as scripts using
    wscript.exe.

    Microsoft has issued a security patch which secures against the
    VM ActiveX component vulnerability. It is available at
    http://www.microsoft.com/technet/security/bulletin/MS00-075.asp



    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/vbsredlofa.html
     
Thread Status:
Not open for further replies.