W32/Redlof.A@m
Analysis
- Viral code is VBScript, is encrypted and is 11,160
bytes
- Virus creates an infected HTML file on the local
drive as "Blank.htm" and uses this file
as stationery for composing email messages in Outlook
Express 5.0 or MS Outlook
- Virus infects files of type .HTM and .HTT
- Virus modifies the registry to run .DLL files as
VBScript -
HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
(Default)=VBScriptHKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\ (Default)=C:\Windows\WScript.exe "undefined1" undefined*
- Virus writes itself as Kernel.dll (not to be confused
with Kernel32.dll) into Windows\System folder, and
modifies the registry to run this file at Windows
startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Kernel32 = C:\Windows\System\Kernel.dll