Lalas writes: Perhaps this is the second post about a full virus disassembly which is still running strong in the wild.
I shall be talking about the HTML.Redlof.A "virus' which affects computers running Windows having Windows Scripting Host activated
Introduction:
-------------
Redlof is actually a HTML virus which can infect the user in the following ways:
1.User opens a webpage infected with the virus
2.User opens a folder(with "View as Web Page" option enabled) infected with the virus
After the first instance, the virus opens files of type .htt, .html, .htm, .jsp, .asp, .php in the current folder, traverses up the tree, the "My Documents" folder and sub folders
It appends itself to Folder.htt in the current and/or to C:\WinPath\Web\Folder.htt, but before infection backups the clean copies to
Web\KJWALL.GIF (Folder.HTT) and System32\KJWALL.GIF (DeskTop.INI)
It writes another copy of itself into file "Kernel.dll" or "kernel32.dll"(provided it's NOT Micorsoft's own core) and registers DLL files to run WScript (WSH core) when they are loaded
Based on the Windows OS, either Kernel.dll or Kernel32.dll is loaded at startup.Thus, every file of type given above when opened are infected.
It writes to the registry, and Outlook keys to send a copy of itself every time a mail is sent.The virus is incorporated into the HTML formatting of the mail itself and thus appears
transparent to the user.
It also keeps the heart of the virus encrypted in a variable named "ExeString" and it's decrypted during activation
I have posted the decrypted source with is post at the end.
How do I know if I am infected ?
--------------------------------
Your AV should be the first one to indicate it.However, probably it will NOT be able to clean it and end up Quarantining it.
You can also manually check for the following files on your HDD
C:\WINDOWS\WEB\KJWALL.GIF
C:\WINDOWS\SYSTEM32\KJWALL.GIF
C:\WINDOWS\SYSTEM\KERNEL.DLL
Don't delete ANY of the above files now !
Also, you can know if it's active by
1.Create an empty .txt file and rename it to .html.It should be 0 bytes
2.Click on it.Then close it.If its size has increased to approx 12 Kbytes automatically, then you ARE infected
Oh my god !
-----------
You can easily get your system clean, by yourself.Follow the steps:
1.Using the Windows FIND tool (Start>Find), search for ANY file containing the text "KJ_Start()".You should get quite a lot!
Rename ALL of them to .VIR
[E.g rename Filename.HTML to Filename.HTML.VIR]
NOTE:Replace C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm with a clean one !
2.Rename(or delete) Folder.htt and Desktop.ini.
3.Using MSCONFIG, uncheck the entry "Kernel32" linked to the file kernel.dll (or kernel32.dll- but make sure it isn't Microsoft's) to stop it from loading at startup.
If you are a Windows 2K user, open REGEDIT, goto [HKLOCALMACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN] and remove the entry for
"Kernel32"
4.Boot to Real Mode MSDOS.
CD to the Web directory and delete Folder.htt and desktop.ini
Copy C:\WinPath\Web\kjwall.gif as Folder.htt and C:\WinPath\System32\kjwall.gif as Desktop.ini
Delete kernel.dll from C:\WinPath\System\kernel.dll
Now you can do the following from either DOS or from Windows, which ever you are comfortable with:
Open the files you had renamed .VIR in any text editor like Notepad and search for the line(s)
document.write "
Here's a batch file which you can use to clean the folder.htt and desktop.ini
RUN IF ONLY IF YOU ARE INFECTED !!
--------------Start CLEAN.BAT-------------------
REM It's assumed that you have your windows on C:\WINDOWS
REM If not, change it accordingly
@ECHO OFF
IF EXIST C:\WINDOWS\SYSTEM\KERNEL.DLL DEL C:\WINDOWS\SYSTEM\KERNEL.DLL
IF EXIST C:\WINDOWS\WEB\FOLDER.HTT DEL C:\WINDOWS\WEB\FOLDER.HTT
MOVE C:\WINDOWS\WEB\KJWALL.GIF C:\WINDOWS\WEB\FOLDER.HTT
ECHO Y|MOVE C:\WINDOWS\SYSTEM32\KJWALL.GIF C:\WINDOWS\WEB\DESKTOP.INI
IF EXIST C:\WINDOWS\system32\desktop.ini DEL C:\WINDOWS\system32\desktop.ini
COPY C:\WINDOWS\WEB\DESKTOP.INI C:\WINDOWS\system32\desktop.ini
ECHO System is clean !
ECHO Make sure you have cleaned C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm !
PAUSE
--------------End Clean.BAT--------------------
|