Name: VBS/Redlof-A Type: Visual Basic Script virus Date: 23 May 2002 At the time of writing Sophos has received just one report of this virus from the wild. Description: VBS/Redlof-A infects HTM, HTML, ASP, PHP, JSP, HTT and VBS files by appending a VBScript that contains an encrypted copy of the virus code to them. The virus exploits the Microsoft VM ActiveX component vulnerability enabling the virus to be activated by viewing an infected HTML document at a remote site. VBS/Redlof-A will attempt to propagate via email sent by the infected user. This is achieved by infecting blank.htm, the default stationery file for Microsoft Outlook or Outlook Express. This file is commonly found in the folder C:\Program Files\Common Files\Microsoft Shared\Stationery\ . An appropriate registry entry is edited to ensure that the infected user includes the default stationery file when they compose an email. The registry entries targeted are: HKCU\Identities\<DefaultId>\Software\Microsoft\ Outlook Express\<OutlookVersion>\Mail\Compose Use Stationery, HKCU\Identities\<DefaultId>\Software\Microsoft\ Outlook Express\<OutlookVersion>\Mail\Stationery Name, HKCU\Identities\<DefaultId>\Software\Microsoft\ Outlook Express\<OutlookVersion>\Mail\Wide Stationery Name, HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\ Microsoft Outlook Internet Settings\ 0a0d020000000000c000000000000046\001e0360, HKCU\Software\Microsoft\Windows NT\CurrentVersion\ Windows Messaging Subsystem\Profiles\ Microsoft Outlook Internet Settings\ 0a0d020000000000c000000000000046\001e0360, and HKCU\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery. An infected VBScript is dropped to the Windows system folder with the name kernel.dll. This file is pointed to by the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32 so that it is executed when Windows is started up. The virus also modifies the registry entries HKCU\Software\Microsoft\Windows\CurrentVersion\Run\.dll and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dllfile so that files with DLL extensions are executed as scripts using wscript.exe. Microsoft has issued a security patch which secures against the VM ActiveX component vulnerability. It is available at http://www.microsoft.com/technet/security/bulletin/MS00-075.asp Read the analysis at http://www.sophos.com/virusinfo/analyses/vbsredlofa.html