Home / malwarePDF  

VBS.Redlof.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

VBS.Redlof.A is also known as N/A.

Explanation :

The virus infects HTML and VBS files. It is a polymorph virus. It modifies its script at every infection.

It copies itself as Kernel.dll or Kernel32.dll in system folder (C:WindowsSystem or C:WINNTSystem32).

It modifies some registry keys in order to execute these files (Kernel.dll or Kernel32.dll) with wscript.exe: every DLL-files will be executed as a script, not as a DLL.

The modified registry keys are:

HKCR.dll
with the value dllfile

HKCR.dllContent Type
with the value application/x-msdownload

HKCRdllfile\DefaultIcon
with vxdfile DefaultIcon as value

HKCRdllfileScriptEngine
with the value VBScript

HKCRdllFileShellOpenCommand
with the value WScript.exe…

HKCRdllFileShellExPropertySheetHandlersWSHProps

HKEY_CLASSES_ROOTdllFileScriptHostEncode

It also copies itself as Folder.htt in folder web from windows folder and in folder system32 (from windows folder) as desktop.ini.

It appends a modified copy of itself at all HTML and VBS files from the current folder, the windows folder (C:Winnt or C:Windows) and the system folder (C:WindowsSystem or C:WINNTSystem32).

It also appends itself to all HTML and VBS files from the folder C:Program FilesCommon FilesMicrosoft SharedStationery.

The virus creates the file:

C:Program FilesCommon FilesMicrosoft SharedStationerylank.htm

and modifies (if they exist) the registry keys:

HKCUIdentitiesSoftwareMicrosoftOutlook ExpressMailCompose Use Stationery
with the value 1.

HKCUIdentitiesSoftwareMicrosoftOutlook ExpressMailStationery Name
with the value C:Program FilesCommon FilesMicrosoft SharedStationerylank.htm.

HKCUIdentitiesSoftwareMicrosoftOutlook ExpressMailWide Stationery
with the value C:Program FilesCommon FilesMicrosoft SharedStationerylank.htm.

HKCUSoftwareMicrosoftOffice9.0OutlookOptionsMailEditorPreference
with the value blank.

HKCUSoftwareMicrosoftWindows Messaging SubsystemProfiles
Microsoft Outlook Internet Settingsa0d020000000000c00000000000004601e0360
with the value blank.

HKCUSoftwareMicrosoftWindowsCurrentVersionWindows Messaging SubsystemProfiles
Microsoft Outlook Internet Settingsa0d020000000000c00000000000004601e0360
with the value blank.

HKCUSoftwareMicrosoftOffice10.0OutlookOptionsMailEditorPreference
with the value blank.

HKCUSoftwareMicrosoftOffice10.0CommonMailSettingsNewStationery
with the value blank.

By modifying these keys, it infects the template for email, so every email sent by the user will contain the virus in HTML form.

Last update 21 November 2011

 

TOP

Malware :