The Redlof virus, is encrypted in it's original form. It's run automaticly on a vulnurable system through the
VM ActiveX component vulnurability. When executed the virus locates Folders.htt and infects that file,
the Folder.htt is part of Microsoft Windows Active Desktop feature. The next thing the virus does, is to
append itself to the default stationary files for Microsoft Outlook / Outlook Express (usually located under
%System root%\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm) if they don't exists the virus
creates them. This causes every e-mail sent out from infected host using those e-mail clients to contain the
virus embedded inside.
To accomplish this the virus modifies/creates the following registry keys:
HKCU\Identities\{DefaultUserID}\Software\Microsoft\Outlook Express\
[Outlook Version]\Mail\Compose Use Stationery
HKCU\Identities\DefaultUserID\Software\Microsoft\Outlook Express\
Outlook Version\Mail\Stationery Name
HKCU\Identities\DefaultUserID\Software\Microsoft\Outlook Express\
OutlookVersion\Mail\Wide Stationary Name
HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles
\Microsoft Outlook Internet Settings\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\
Profiles\Microsoft Outlook Internet Settings\
HKCU\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery\
The virus drops itself to the Windows System folder as either kernel.dll or kernel32.dll. It creates relevant registry
entries to ensure that file is run each time windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel | Kernel32
The virus modifies the registry settings for running .dll files so they get executed as scripts, by using wscript.exe
(part of Windows Script Host).
HKCR\dllfile\ScriptEngine\VBScript
HKCR\dllFile\Shell\Open\Command\[Call to Wscript.exe]
HKCR\dllFile\ShellEx\PropertySheetHandlers\WSHProps\
HKCR\dllFile\ScriptHostEncode\
The virus searches for infectable objects on users harddrive and appends itself to those.
| 