Virus

W32/Redlof.A@m

Analysis

  • Viral code is VBScript, is encrypted and is 11,160 bytes
  • Virus creates an infected HTML file on the local drive as "Blank.htm" and uses this file as stationery for composing email messages in Outlook Express 5.0 or MS Outlook
  • Virus infects files of type .HTM and .HTT
  • Virus modifies the registry to run .DLL files as VBScript -

    HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
    (Default)=VBScript

    HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\ (Default)=C:\Windows\WScript.exe "undefined1" undefined*

  • Virus writes itself as Kernel.dll (not to be confused with Kernel32.dll) into Windows\System folder, and modifies the registry to run this file at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    Kernel32 = C:\Windows\System\Kernel.dll