FRISK Software International

Summary of VBS/Redlof
Alias:VBS/Redlof-A, VBS.Redlof, VBS/Redlof
Length: 11.093 bytes
Infectable objects: Infects files with the following extensions .htt, .vbs, .html, .htm, .asp, .php, .jsp.
Discovered: 16 Apr 2002
Definition files: 16 Apr 2002
Risk Level: Low
Infection Method:Infected e-mail attachments, can also spread through infected websites (the virus is called through tag). Automatic execution through a known security vulnerability in Internet Explorer (
Payload: Modifies the default stationaries for Outlook / Outlook Express so every e-mail sent out with those e-mail clients from an infected system contains the virus.
Jump to:
Brief description
Technical description

Brief Description

The Redlof virus is a polymorphic virus, written in VisualBasic Script. The virus relies on the Microsoft VM ActiveX Component vulnerability to automaticly execute itself. When executed the virus locates Folders.htt and infects that file, the Folder.htt is part of Microsoft Windows Active Desktop feature. It searches the users harddrive and locates infectable files and appends itself to them. The virus also drops instances of itself and modifies relevant registry keys to ensure it's run every time on Windows startup. Redlof modifies the default stationarie (blank.html) for Outlook / Outlook Express so every e-mail sent out from an infected system contains the virus.

Technical Description

The Redlof virus, is encrypted in it's original form. It's run automaticly on a vulnurable system through the VM ActiveX component vulnurability. When executed the virus locates Folders.htt and infects that file, the Folder.htt is part of Microsoft Windows Active Desktop feature. The next thing the virus does, is to append itself to the default stationary files for Microsoft Outlook / Outlook Express (usually located under %System root%\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm) if they don't exists the virus creates them. This causes every e-mail sent out from infected host using those e-mail clients to contain the virus embedded inside. To accomplish this the virus modifies/creates the following registry keys:

HKCU\Identities\{DefaultUserID}\Software\Microsoft\Outlook Express\
[Outlook Version]\Mail\Compose Use Stationery
HKCU\Identities\DefaultUserID\Software\Microsoft\Outlook Express\ Outlook Version\Mail\Stationery Name
HKCU\Identities\DefaultUserID\Software\Microsoft\Outlook Express\ OutlookVersion\Mail\Wide Stationary Name
HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles \Microsoft Outlook Internet Settings\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ Profiles\Microsoft Outlook Internet Settings\

The virus drops itself to the Windows System folder as either kernel.dll or kernel32.dll. It creates relevant registry entries to ensure that file is run each time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel | Kernel32

The virus modifies the registry settings for running .dll files so they get executed as scripts, by using wscript.exe (part of Windows Script Host).

HKCR\dllFile\Shell\Open\Command\[Call to Wscript.exe]

The virus searches for infectable objects on users harddrive and appends itself to those.

Sindri Bjarnason FRISK Software international

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)