W32/Redesi-B

Please follow the instructions for removing worms.

You should remove the command to format the C: drive from Autoexec.bat (edit it with Notepad or another text editor).

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\Rede

and delete it if it exists.

Close the registry editor.

W32/Redesi-B is a worm which uses Microsoft Outlook to spread. The worm arrives in an email message with a subject randomly chosen from:

• "FW: Security Update by Microsoft."
• "FW: Microsoft security update."
• "FW: IT departments on state of HIGH ALERT."
• "FW: Important news from Microsoft."
• "FW: Stop terrorists computer viruses reign."
• "FW: Terrorists release computer virus."
• "FW: Emergency response from Microsoft Corp."
• "FW: Terrorist Emergency. Latest virus can wipe disk in minutes."
• "FW: Microsoft Update. Final Release Candidate."
• "FW: New computer virus."

The body of the message contains the text:

"Just recieved this in my email
I have contacted Microsoft and they say it's real !
-----Original Message-----
From: Microsoft Support Desk [mailto:Support@microsoft.com]
Subject: Security Update
Due to the recent spate of email spread computer viruses
Microsoft Corp has released a security patch.
Please apply the attached file to your Windows computer
to stop any futher spread or these malicious programs.
Regards
Microsoft Support".

The attachment name is randomly chosen from common.exe, rede.exe, si.exe, userconf.exe and disk.exe.

When the attachment is run, it displays the message box "Your Windows Update has been successful."

The worm copies itself into C:\common.exe, C:\rede.exe, C:\si.exe, C:\userconf.exe and C:\disk.exe.

On 11 November 2001, the worm adds a command to C:\autoexec.bat, which will attempt to format drive C: on next reboot and display the text "Bide ye the Wiccan laws ye must, In perfect love and perfect trust.".

The virus contains the following text:

When misfortune is enow, wear the blue star on thy brow. True in love ye must ever be, lest thy love be false to thee. These words the Wiccan Rede fulfill: An ye harm none, do what ye will. Rede(c)Si 2001 ... heh, want my phone number too ?!? Sick of all thes 3rd world gits spreading worms. Time for a bit of Welsh stuff :)

The worm also changes the registry key HKLM\Software\Microsoft\Windows\ CurrentVersion\Run\Rede so that it runs on Windows startup.