VBS/Redlof-A

Please follow the instructions for disinfecting macro viruses.

Sophos recommend that HTML files are backed up before disinfection is initiated.

Deleting Temporary Internet Files

First, delete all Temporary Internet Files from within Internet Explorer (Tools|Internet Options in IE 5). This will delete files which would otherwise have to be checked.

Removing the virus

Then follow the instructions for removing infected executable files.

Reversing the registry changes

You will also need to delete the following registry keys for each user who ran the virus.

At the taskbar, select Start|Run. Type in Regedit and press return. The registry editor will open.

Before you edit the registry, back it up. In the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup.

Locate the following HKEY_CURRENT_USER keys:

HKCU\Identities\<DefaultId>Software\Microsoft\Outlook Express\
<OutlookVersion>\Mail\Compose Use Stationery

HKCU\Identities\<DefaultId>\Software\Microsoft\Outlook Express\
<OutlookVersion>\Mail\Stationery Name

HKCU\Identities\<DefaultId>\Software\Microsoft\Outlook Express\
<OutlookVersion>\Mail\Wide Stationery Name

and delete them. You should check all identities present (the code number) and all versions of Outlook.

Each user has a registry area named HKEY_USERS\'code number indicating user'\. For each user locate the keys:

HKU\<code number>\Software\Microsoft\Windows Messaging Subsystem\
Profiles\Microsoft Outlook Internet Settings\
0a0d020000000000c000000000000046\001e0360

HKU\<code number>\Software\Microsoft\Windows NT\CurrentVersion\
Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\
0a0d020000000000c000000000000046\001e0360

HKU\<code number>\Software\Microsoft\Office\10.0\Common\
MailSettings\NewStationery

HKU\<code number>\Software\Microsoft\Windows\CurrentVersion\Run\.dll

HKU\<code number>\Software\Microsoft\Windows\CurrentVersion\Run\dllfile

and delete these keys if they exist.

Locate the following HKEY_LOCAL_MACHINE key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32

and delete this key if it exists.

Close the Registry Editor and restart your computer.

Deleting HTT files and Kjwall.gif

Using Find, set Look in as C:\Windows\Web.

Search for any *.htt files.

Delete them.

Then search for the file Kjwall.gif.

Delete it.

Resetting Outlook Express

Start Outlook Express.

Click Tools|Options.

Click the Compose tab.

In the Stationery section uncheck Mail, or select your own stationery.

Installing the Microsoft patch

If you have not done so already, install the patch for the Microsoft VM ActiveX component exception vulnerability. See Microsoft Security Bulletin MS00-075: http://www.microsoft.com/technet/security/bulletin/ms00-075.asp.

VBS/Redlof-A infects HTM, HTML, ASP, PHP, JSP, HTT and VBS files by appending a VBScript that contains an encrypted copy of the virus code to them.

The virus exploits the Microsoft VM ActiveX component vulnerability enabling the virus to be activated by viewing an infected HTML document at a remote site.

VBS/Redlof-A specifically targets the file folder.htt, which is stored as a hidden file in the web folder under Windows. Folder.htt is used as the template for information stored when viewing folders as webpages. If it exists it will be infected and also copied to kjwall.gif which is stored in the same directory.

VBS/Redlof-A will attempt to propagate via email sent by the infected user. This is achieved by infecting blank.htm, the default stationery file for Microsoft Outlook or Outlook Express. This file is commonly found in the folder C:\Program Files\Common Files\Microsoft Shared\Stationery\. An appropriate registry entry is edited to ensure that the infected user includes the default stationery file when they compose an email.

The registry entries targeted are:

HKCU\Identities\<DefaultId>\Software\Microsoft\
Outlook Express\<OutlookVersion>\Mail\Compose Use Stationery

HKCU\Identities\<DefaultId>\Software\Microsoft\
Outlook Express\<OutlookVersion>\Mail\Stationery Name

HKCU\Identities\<DefaultId>\Software\Microsoft\
Outlook Express\<OutlookVersion>\Mail\Wide Stationery Name

HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\
0a0d020000000000c000000000000046\001e0360

HKCU\Software\Microsoft\Windows NT\CurrentVersion\
Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\
0a0d020000000000c000000000000046\001e0360

and

HKCU\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery.

VBS/Redlof-A also writes values to the registry to set Outlook to send emails as HTML to facilitate its spread.

An infected VBScript is dropped to the Windows system folder with the name kernel.dll or kernel32.dll. This file is pointed to by the following registry entry so that it is executed when Windows is started up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32

The virus also modifies the registry entries so that files with DLL extensions are executed as scripts using wscript.exe:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\.dll

and

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dllfile

Microsoft has issued a security patch which secures against the VM ActiveX component vulnerability. It is available at http://www.microsoft.com/technet/security/bulletin/MS00-075.asp.