It either copies itself to C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm or, if that file already exists, it appends itself to the file.FOLDER.HTT & DESKTOP.INI
Simple Hyper Text Template or VBS.Redlof Virus
These two files are found in every folder on Windows based machine’s hard disk (set "Show All Files" in Folder Option > View).
Desktop.ini is a simple configuration file that keeps folder's visual settings. But the " FOLDER.HTT " file (in addition to taking the hard disk space) is described a malicious script by many anti-virus software.
==========================================================================================
DOCUMENT SUMMARY
==========================================================================================
IMPACT ON SYSTEM:
Hard Disk Space |
Not much critical |
Performance Deterioration |
Moderately Critical |
Damage |
1. Pay load insertion into all new e-mail messages |
|
|
2. Modifies files, like htm*, asp, jsp, php, vbs, etc. |
|
|
3. Modifies Registry keys (details below) |
|
|
4. Changes OE stationery settings in registry |
Removal |
Moderate (but may render some *.exe(s) useless) |
------------------------------------------------------------------------------------------------------------------------------------------------------------
AFFECTED SOFTWARE / SYSTEM:
Windows 3.x, Windows 9x / ME, Windows NT, Windows 2000, Windows XP.
------------------------------------------------------------------------------------------------------------------------------------------------------------
CODE NAME:
VBS/Redlof@M [McAfee], VBS.Redlof [AVP], VBS_REDLOF.A [Trend], VBS/Redlof-A [Sophos]
TYPE:
VIRUS
DESCRIPTION:
When the above virus executes, it infects a file "web\Folder.htt" in the Windows installation directory. This means the virus will activate when any directory is opened using the Active Desktop's web folder feature.
REASON:
Security Vulnerability in 'Microsoft VM ActiveX Component'
WORKOUT:
1. Removal of the virus using an Anti-Virus software
2. Apply patch from http://windowsupdate.microsoft.com/
==========================================================================================
END OF DOCUMENT SUMMARY
==========================================================================================
TECHNICAL DETAILS
When HTML.Redlof.A runs, it does the following:
It decrypts its viral body and executes it. Depending on the location of the Windows System folder, the virus copies itself as one of the following:
%windir%\System\Kernel.dll
%windir%\System\Kernel32.dll
NOTE: %windir% is a variable. The worm locates the primary Windows installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.
The virus makes following changes to the registry:
|
|
Value Comparison / Modification |
|
|
Registry Key |
Virus verifies |
Virus Modifies to |
|
HKEY_CLASSES_ROOT\.dll |
Dllfile |
|
|
HKEY_CLASSES_ROOT\.dll\Content Type |
application/x-msdownload |
|
|
HKEY_CLASSES_ROOT\dllFile\ DefaultIcon |
- |
C:\WINDOWS\SYSTEM\shell32.dll,-154 |
|
Add following Subkeys |
|
|
|
ScriptEngine |
- |
VBScript |
|
ScriptHostEncode |
- |
{85131631-480C-11D2-B1F9-00C04F86C324} |
|
HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\ |
- |
"%windir%\WScript.exe ""%1"" %*" OR "%windir%\System32\WScript.exe ""%1"" %*" |
|
HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps |
- |
{60254CA5-953B-11CF-8C96-00AA00B8708C} |
The virus searches for files that the exensions .htm*, asp, php, jsp, and vbs in all folders and on all drives, and infects them.
HTML.Redlof.A spreads by adding itself as the default stationery that is used to create email messages:
It either copies itself to C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm or, if that file already exists, it appends itself to the file.
It then sets Outlook Express to use stationery by default. To do this, in the registry key:
HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\Outlook Express\[Outlook Version].0\Mail the virus sets the value of "Compose Use Stationery" to " 1 ".
Then, if the following values do not exist, they are created with the following value data:
|
Registry Key |
Value of |
Virus Sets to |
|
HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\Outlook Express\[Outlook Version].0\Mail |
Stationery Name |
C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm |
|
HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\Outlook Express\[Outlook Version].0\Mail |
Wide Stationery Name |
C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm |
|
HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail |
EditorPreference |
131072 |
|
Following values, if do not exist, are created and set to blank : |
|
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046 |
001e0360 |
|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046 |
001e0360 |
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings |
NewStationery |
|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference |
EditorPreference |
131072 |
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Kernel32 |
SYSTEM\Kernel32.dll or SYSTEM\Kernel.dll |
Reportedly (ref. Microsoft Security Bulletin), these happens due to a security vulnerability in Microsoft VM ActiveX Component.
The MS VM is virtual machine for the Win32© operating environment. It runs atop MS Windows 9x / ME, NT 4.0 and Windows 2000. It is shipped as a part of each of these OSs and is also a of MS IE.
The versions of MS VM shipped with MS IE 4.x and IE 5.x contain a vulnerability that could allow a Java applet, on a malicious web site to take any desired action on a visiting user's machine.
The Microsoft virtual machine (Microsoft VM) contains functionality that allows ActiveX controls to be created and manipulated by Java applications or applets. This functionality is intended to only be available to stand-alone Java applications or digitally signed applets. However, this vulnerability allows ActiveX controls to be created and used from a web page, or from within a HTML based e-mail message, without requiring a signed applet. If a user visited a malicious web site that exploited this vulnerability, a Java applet on one of the web pages could run any desired ActiveX control, even ones that are marked as unsafe for scripting. This would enable the malicious web site operator to take any desired action on the user’s machine.
Web sites placed within the Restricted Sites zone in Internet Explorer will not be able to exploit this vulnerability.
==========================================================================================
USING MICROSOFT WINDOWS UPDATES
==========================================================================================
You won't be able to use Microsoft Windows 98 Updates (from their Windows update site), if, for any reason you are not using a Registered copy of Windows 98.
If you want to use Microsoft's Windows Update Feature simply modify this registry parameter and you can use Update feature without any registration.
Here is how to do it...
___________________________________________________________________________________________
References:
Microsoft TechNet
Symantec Security Response
___________________________________________________________________________________________
This text is written by Sheikh M. Taimur (and is dedicated to my parents)
This page is designed at 800 x 600-screen resolution