virus scan software   contact virus scan software
virus scan software   online software store
virus scan software anti virus software virus scan software mission   new anti virus scan software
User solutions
scan for viruses
virus removal
virus protection
secure browsing
block hackers
data protection
filter email
kill spam
Corporate solutions
virus protection
mailserver
Firewall software
Black ice
Zone alarm pro
Featured product
trend micro pc-cillin
 


VIRUS NAME : VBS/Redlof@M




Virus Characteristics

This is a file infecting VBScript that sets a default, infected, stationary file for the Microsoft Outlook and Outlook Express email client programs. It exploits the Microsoft VM ActiveX Component Vulnerability.

The script arrives in an email message, hidden from the user, or can be present on websites that contain infected .HTM files. The virus uses the BODY ONLOAD event to trigger the infection. .HTM, and .HTT files on the local system are infected by appending them with the encrypted, viral code. .HTT files are prepended with the BODY ONLOAD trigger, while this action is placed at the beginning of the virus body in .HTM files. The default mail account is retrieved from the registry and a stationary file is created, "BLANK.HTM", and is set as the default stationary file.

  • HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook Express\
    5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
  • HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook Express\
    5.0\Mail "Wide Stationery Name=C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
    Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\
    0a0d020000000000c000000000000046\001e0360=blank
  • HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\
    MailSettings\NewStationery=blank
The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS SYSTEM directory and a registry run key is created to load the script at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Kernel32=C:\WINDOWS\SYSTEM\Kernel.dll
This is effective due to the fact that several other registry keys are created to re-associate .DLL files with the WSCRIPT.EXE handler.
  • HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
    (Default)=VBScript
  • HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode\
    (Default)={85131631-480C-11D2-B1F9-00C04F86C324}
  • HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\
    (Default)=C:\WINDOWS\WScript.exe "%1" %*
  • HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHandlers\
    WSHProps\(Default)={60254CA5-953B-11CF-8C96-00AA00B8708C}


Symptoms

- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents



Method Of Infection

This worm exploits a Microsoft Internet Explorer vulnerability to infect .HTM documents and configure email clients to include an infected document along with each message that is sent out.


 

 

 
Latest viruses
MyLife.e@MM
Goround.worm
Gluas.a
Linux/Alfa
QDel234
BackDoor-OG
Best sellers
Kaspersky PRO
Panda Platinum
Tiny firewall
Volume licensing

McAfee, Inc
Online services
Mcafee removal
 
   

[ virus-scan-software.com ] - [ products ] - [ security ] - [ services ] - [ support ] - [ what's new ] - [ contact ]

website design by Siteowners