Home / malware VBS.Redlof.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
VBS.Redlof.A is also known as N/A.
Explanation :
The virus infects HTML and VBS files. It is a polymorph virus. It modifies its script at every infection.
It copies itself as Kernel.dll or Kernel32.dll in system folder (C:WindowsSystem or C:WINNTSystem32).
It modifies some registry keys in order to execute these files (Kernel.dll or Kernel32.dll) with wscript.exe: every DLL-files will be executed as a script, not as a DLL.
The modified registry keys are:
HKCR.dll
with the value dllfile
HKCR.dllContent Type
with the value application/x-msdownload
HKCRdllfile\DefaultIcon
with vxdfile DefaultIcon as value
HKCRdllfileScriptEngine
with the value VBScript
HKCRdllFileShellOpenCommand
with the value WScript.exe…
HKCRdllFileShellExPropertySheetHandlersWSHProps
HKEY_CLASSES_ROOTdllFileScriptHostEncode
It also copies itself as Folder.htt in folder web from windows folder and in folder system32 (from windows folder) as desktop.ini.
It appends a modified copy of itself at all HTML and VBS files from the current folder, the windows folder (C:Winnt or C:Windows) and the system folder (C:WindowsSystem or C:WINNTSystem32).
It also appends itself to all HTML and VBS files from the folder C:Program FilesCommon FilesMicrosoft SharedStationery.
The virus creates the file:
C:Program FilesCommon FilesMicrosoft SharedStationerylank.htm
and modifies (if they exist) the registry keys:
HKCUIdentitiesSoftwareMicrosoftOutlook ExpressMailCompose Use Stationery
with the value 1.
HKCUIdentitiesSoftwareMicrosoftOutlook ExpressMailStationery Name
with the value C:Program FilesCommon FilesMicrosoft SharedStationerylank.htm.
HKCUIdentitiesSoftwareMicrosoftOutlook ExpressMailWide Stationery
with the value C:Program FilesCommon FilesMicrosoft SharedStationerylank.htm.
HKCUSoftwareMicrosoftOffice9.0OutlookOptionsMailEditorPreference
with the value blank.
HKCUSoftwareMicrosoftWindows Messaging SubsystemProfiles
Microsoft Outlook Internet Settings a0d020000000000c000000000000046 01e0360
with the value blank.
HKCUSoftwareMicrosoftWindowsCurrentVersionWindows Messaging SubsystemProfiles
Microsoft Outlook Internet Settings a0d020000000000c000000000000046 01e0360
with the value blank.
HKCUSoftwareMicrosoftOffice10.0OutlookOptionsMailEditorPreference
with the value blank.
HKCUSoftwareMicrosoftOffice10.0CommonMailSettingsNewStationery
with the value blank.
By modifying these keys, it infects the template for email, so every email sent by the user will contain the virus in HTML form.Last update 21 November 2011