Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Redlof.A@m


Threat Risk LOW LOW
Destructivity NONE NONE
Detection files published 14 May 2002 03:00:00
Description created 02 Sep 2002 04:54:00
Description updated 02 Sep 2002 04:54:00
Malware type VIRUS
Spreading mechanism EMAIL
Summary None



VBS/Redlof.A is a combined VB script worm and virus. It will attach itself to HTM, HTT, ASP, JSP, PHP and VBS files on the local system, and sets an infected HTM file, blank.htm, as default stationery for Outlook and Outlook Express.

This has the effect that every mail sent out using these clients will be infected. A user may be infected with this if (s)he opens or previews an infected mail in Outlook/Outlook Express, or if he views an infected web page in a vulnerable Internet Explorer.

The virus uses an Internet Explorer exploit, the Microsoft Java VM vulnerability, in order to execute automatically.

In addition to the stationery file BLANK.HTM, it also drops the file KERNEL.DLL into the system directory.

The virus also changes a number of registry keys:
It sets the following registry keys:

HKEY_CURRENT_USER\Identities\\Software\Microsoft\Outlook Express\\Mail\Compose Use Stationery = 1
HKEY_CURRENT_USER\Identities\\Software\Microsoft\Outlook Express\\Mail\Stationery Name = blank.htm
HKEY_CURRENT_USER\Identities\\Software\Microsoft\Outlook Express\\Mail\Wide Stationery Name = blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference = 131072
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360 =blank
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360 = blank
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference = 131072
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery = blank

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32 kernel.dll
HKEY_CLASSES_ROOT\.dll\ = dllfile
HKEY_CLASSES_ROOT\.dll\Content Type =application/x-msdownload
HKEY_CLASSES_ROOT\dllfile\DefaultIcon\ = HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\
HKEY_CLASSES_ROOT\dllfile\ScriptEngine\ = VBScript
HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\ = WScript.exe ""%1"" %*
HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\ = {60254CA5-953B-11CF-8C96-00AA00B8708C}
HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\ = {85131631-480C-11D2-B1F9-00C04F86C324}

Payload Details






Last Updated: 12 Nov 2015 11:06:14