| VBS/Redlof |
|
|
|
Type: Internet Worm
This is a visual Basic script virus that spreads by email or infects target machines that visit sites with infected html pages. The virus spreads by adding itself as “Blank .html” that is used to create email massages and creates the following registry key: HKEY_CURRENT_USER\ Identities\{%id-value%}\ Software \ Microsoft \ outlook Expreas\5.0 \ Mail \ Stationery Name=C:\ Program Files \ Common Files \ Microsoft shared \ Stationery\ Blank.htm HKEY_CURRENT_USER\ Identities\{%id-value%}\ Software\ Microsoft \ outlook Expreas\5.0\ Mail “wide stationery Name=C:\ Program Files\ Common Files\ Microsoft shared \ Stationery \ blank.htm HKEY_CURRENT_USER\ Software \ Microsoft \ Windows NT \ Current version\ Windows Messaging Subsystem \ Profiles \ Microsoft outlook Internet Setting\ 0a0d020000000000c00000000000046\001e0360=blank HKEY_CURRENT_USER\ Software \ Microsoft \ Office \10.0\ Common \ Mail Settings \ New Stationery=blank This virus copies itself in windows system directory using the “Kernel.dll” File name and creates the following registry key to run after Boot process. HKEY_LOCAL_MACHINE \ Software\ Microsoft \ Current Version \ Run \ Kernel32=C: \ WINDOWSE \ SYSTEM \ Kernel.dll AS “WSCREPT.EXE” is the default engine for all Vbs files, the virus changes the following registry key to execute the “Kernel.dll” file HKEY_CLASSES_ROOT \ dll file \ Scripted Engine \ (Default) =VBS Cript HKEY_CLASSES_ROOT \ dll file \ Scripted Host Encode \ (Default) ={85131631-480C-11D2-B1F9-00C04F86C324} HKEY_CLASSES_ROOT \ dll file \ Shell \ Open\ Command \ (Default)=C: \ WINDOWS \ Wscripted.exe “%1” %* HKEY_CLASSES_ROOT \ dll file \ Shell EX \ Property Sheet Handlers \ W SH Props \ (Default) = {60254CA5-953B-11CF-8C96-00AA00B8708C} |
.Copyright © 1994-2004 Imen Computer Virology Laboratory I.C.V.L
.All Rights Reserved
.Mehran Rayaneh Engineering Co