VBS/Redlof-A infects HTM, HTML, ASP, PHP, JSP, HTT and VBS files.
The virus can be activated by viewing an infected HTML document and may also
be distributed by outgoing email messages sent by Microsoft Outlook or
Outlook Express. The method the virus uses to be delivered with outgoing
email is to infect the stationary file blank.htm, commonly found in the
folder C:\Program Files\Common Files\Microsoft Shared\Stationary\ and then
update an appropriate registry value to point to blank.htm. The registry
values targeted are:
HKCU\Identities\<DefaultId>\Software\Microsoft\Outlook Express\<OutlookVersion>
\Mail\Compose Use Stationery
HKCU\Identities\<DefaultId>\Software\Microsoft\Outlook Express\<OutlookVersion>
\Mail\Stationery Name
HKCU\Identities\<DefaultId>\Software\Microsoft\Outlook Express\<OutlookVersion>
\Mail\Wide Stationery Name
HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360
HKCU\Software\Microsoft\Windows NT\Current Version\Windows Messaging Subsystem
\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046
\001e0360
HKCU\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery
The DefaultId and OutlookVersion values are retrieved from the registry entries
HKCU\Identities\Default User ID and
HKLM\Software\Microsoft\Outlook Express\MediaVer respectively.
An infected VBScript is dropped to the Windows system folder with the
name kernel.dll. This file is pointed to by the registry entry
HKLM\Software\Microsoft\Windows\Curren Version\Run\Kernel32 so that it is
executed when Windows is started up. Values are also modified in the registry
entries HKCU\Software\Microsoft\Windows\Curren Version\Run\.dll and
HKCU\Software\Microsoft\Windows\Curren Version\Run\dllfile so that files with
DLL extensions are executed as scripts via wscript.exe.