|VIRUS NAME : VBS/Redlof@M
This is a file infecting VBScript that sets a default, infected, stationary file for the Microsoft Outlook and Outlook Express email client programs. It exploits the Microsoft VM ActiveX Component Vulnerability.
The script arrives in an email message, hidden from the user, or can be present on websites that contain infected .HTM files. The virus uses the BODY ONLOAD event to trigger the infection. .HTM, and .HTT files on the local system are infected by appending them with the encrypted, viral code. .HTT files are prepended with the BODY ONLOAD trigger, while this action is placed at the beginning of the virus body in .HTM files. The default mail account is retrieved from the registry and a stationary file is created, "BLANK.HTM", and is set as the default stationary file.
5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
5.0\Mail "Wide Stationery Name=C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\
The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS SYSTEM directory and a registry run key is created to load the script at startup:
This is effective due to the fact that several other registry keys are created to re-associate .DLL files with the WSCRIPT.EXE handler.
(Default)=C:\WINDOWS\WScript.exe "%1" %*
- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents
Method Of Infection
This worm exploits a Microsoft Internet Explorer vulnerability to infect .HTM documents and configure email clients to include an infected document along with each message that is sent out.