Home / malware Virus:VBS/Redlof.A
First posted on 14 November 2019.
Source: MicrosoftAliases :
Virus:VBS/Redlof.A is also known as Virus.VBS.Redlof.a, VBS/Redlof-A, VBS/Redlof@M, VBS.Redlof.A, VBS_REDLOF.A, VBS/Redlof.A.
Explanation :
Virus:VBS/Redlof.A is a virus that infects different types of files. It also propagates by infecting the default stationery for Microsoft Outlook, thus ensuring that all HTML emails subsequently sent from an Outlook account contains a copy of itself. InstallationVirus:VBS/Redlof.A drops copies of itself in the system as the following: %windir%SYSTEMKernel32.dll %windir%SYSTEMKernel.dll %windir%webFolder.htt %windir%webkjwall.gif
kjwall.gif Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It modifies the system registry so that it automatically runs every time Windows starts: Adds value: "Kernel32"
With data: %windir%SYSTEMKernel32.dll
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun It also changes the registry so that DLL files are executed as VBScript files, thus ensuring that its dropped copies are run as script files: Adds value: "(default)"
With data: "dllfile"
To subkey: HKCR.dll Adds value: "Content Type"
With data: "application/x-msdownload"
To subkey: HKCR.dll Adds value: "(default)"
With data: ""
To subkey: HKCRdllfileDefaultIcon Adds value: "(default)"
With data: "VBScript"
To subkey: HKCRdllfileScriptEngine Adds value: "(default)"
With data: "%windir%system32WScript.exe ""%1"" %*"
To subkey: HKCRdllfileShellOpenCommand Adds value: "(default)"
With data: "{60254CA5-953B-11CF-8C96-00AA00B8708C}"
To subkey: HKCRdllfileShellExPropertySheetHandlersWSHProps Adds value: "(default)"
With data: "{85131631-480C-11D2-B1F9-00C04F86C324}"
To subkey: HKCRdllfileScriptHostEncode Spreads Via... File InfectionVirus:VBS/Redlof.A infects the following file types by appending its code: HTM HTML ASP PHP JSP VBS HTT It also infects the following file: %ProgramFiles%Common FilesMicrosoft SharedStationerylank.htm This file is set as the default stationery for Microsoft Outlook. Infection of this file means that all HTML emails sent out using Outlook are infected with the virus, thus ensuring its propagation to other systems. Analysis by Francis Allan Tan SengLast update 14 November 2019