Redlof
Redlof
Type File virus
Creator
Date Discovered 16-APR-2002
Place of Origin
Source Language Visual Basic Script
Platform Microsoft Windows
File Type(s) htm, html, asp, php, jsp, htt, vbs, .dll*
Infection Length Varied
Reported Costs

Redlof also known as Redolf is polymorphic virus. It infects Outlook stationaries and can spread without an attachment or any other things usually associated with malware that spread through emails. The virus is written in Visual Basic Script and encrypted with Visual Basic encoded script. It takes advantage of a security vulnerability in Internet Explorer known as Microsoft VM ActiveX Control Vulnerability, allowing it to execute without any user intervention.

Behavior

Redlof can arrive on a system either through an email or an infected webpage. If it is through an email, as it is a part of the email stationary, it will not include any particular subject line, text body, or even an attachment.

When executed, Redlof decrypts its viral body and creates the file "\web\Folders.htt" in the Windows folder. The virus will also copy itself under the name folder.htt to directories viewed or opened in Explorer, unless it finds another copy of this file. It will execute the virus any time the folder is opened using Active Desktop's web folder feature. It checks if the file wscript.exe is in the Windows folder. If it finds the file, it creates a copy of itself to the system folder as Kernel.dll. If the file is not found, it drops a copy of itself as Kernel32.dll in the folder "System" (not System32) in the Windows folder. It also creates a copy of itself as kwjall.gif. in the "web" subdirectory of the Windows folder.

Redlof checks and makes several changes to the registry, mostly intended to allow execution of .dll files as scripts. It does a lot of work on the key "HKEY_CLASSES_ROOT\.dll". It first verifies that the default value of this key is equal to "dllfile" and "Content Type" is equal to: "application/x-msdownload"

It changes these subkey "DefaultIcon" to the value of the DefaultIcon subkey that is under the registry key: "HKEY_CLASSES_ROOT\vxdfile". It adds the subkey "ScriptEngine" whose value it changes to "VBScript" as well as the subkey "ScriptHostEncode" and changes its value to: "{85131631-480C-11D2-B1F9-00C04F86C324}".

For the registry key: "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\" Redlof adds a default value of "%windir%\WScript.exe %1 %*" or: "%windir%\System32\WScript.exe %1 %*". In the registry key "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps" the virus sets the default value to "{60254CA5-953B-11CF-8C96-00AA00B8708C}"

It searches for files with the extensions .html, .htm, .asp, .php, .jsp, .htt, and .vbs on all drives and folders attached to the system and infects them. It also attaches itself to the default Outlook stationary used to create email messages. If it exists, the file "C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm" will be infected like any other file, otherwise Redlof will create the file.

Redlof sets several registry keys to ensure it spreads via email using Outlook Stationery. It will set Outlook to use stationary by default, editing the registry key "HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\Outlook Express\[Outlook Version].0\Mail", setting its value "Compose Use Stationery" to "1". If they do not exist, redlof sets the values "Stationery Name" and "Wide Stationery Name" under HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\Outlook Express\[Outlook Version]\0\Mail to the location of Blank.htm. It sets the value EditorPreference in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail" to "131072". Depending on whether the value exists, it either creates or sets to "blank" the value "001e0360" in the keys "HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046" and "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046", as well as the value "NewStationery" in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings".

To ensure it runs when the machine starts, it adds the value "Kernel32" of the local machine Run key and sets it to the path of its Kernel* file in the system folder.

Variants

Redlof had a small number of variants, mostly similar to the original.

Redolf.B

When executed, Redolf.B drops the files Desktop.ini and Folder.htt in multiple locations. It infects files with extensions .htm, .html, and .htt. It sets the home page to an error page by setting the "Start Page" value of the registry key "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" to "about:error" and then sets the value of "error" in the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\About URLs" to "http://www.geocities.com/hedda_marie_tolentino/index.htm"

It also sets the following registry key values:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionPolicies\Explorer "NoFolderOptions" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\Explorer "ClassicShell" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ClassicViewState" = "0", "Hidden" = "0", "ShowSuperHidden" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState "FullPathAddress" = "0"

It deletes the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionExtShellViews\{5984FFE0-28D4-11CF-AE66-08002B2E1262}.

On the 26th of September, the virus deletes the "Web" folder in the Windows directory and restarts the system.

Effects

Trend Micro of Japan at one point recorded a total of 352,007 infections worldwide, with 89,179 in Japan. The US was the next hardest hit with 63,390, followed by China with just under 50,000.

Redlof was somewhat widespread in Japan between 2002 and 2005, though requests for help with the virus appear as late as 2011. By fall of 2002, Redlof was the 3rd most common virus reported by Trend Micro Japan. Often users simply visited websites with the code triggering their antivirus software, but would find nothing on their actual systems, or only a few things in their temporary Internet files. It was a common prank on 2ch and other otaku/anime sites to paste the virus code into their posts, which would trigger the antivirus product of the person viewing the page, but was often ultimately harmless.

One user reported their wallpaper being replaces with a white background, though this has not occurred in most other cases. Another reported being unable to send email. A tool named "Redlofster" was created to combat the virus.

Other Facts

The artist Aphex Twin released a composition named "VBS.Redlof.B", released in 2005. Other virally themed compositions he has released include "W32.Mydoom.AU@mm", "W32.Aphex@mm", and "W32.Deadcode.A".

Sources

Andre Post. Symantec Security Response, VBS.Redlof.A. 20-MAY-2004

Fergal Ladley. -, VBS.Redlof.B. 06-FEB-2005

F-Secure, Virus:W32/Redlof.

Kaspersky Lab, VIRUS.VBS.REDLOF. 17-DEC-2002

Rhena Inocencio. Trend Micro, VBS_REDLOF.A 19-FEB-2013

Trend Micro Japan. VBS_REDLOF.A 感染状況.

VBS_REDLOF/VBS.Redlofウイルスとは サイト閲覧で感染!? 駆除方法 06-FEB-2015 (Image Credit)

Notable Okwave Incidents

Anonymous user. Okwave.jp HTML.Redlof.A. 18-SEP-2002

-. -, VBS_REDLOF.Aについて. 20-NOV-2002

inuthai. -, VBS_REDLOF.Aの検出とその駆除:助けて下さい! 04-APR-2003

yuururi. -, HTML.Redlof.Aに感染? 18-AUG-2003

1-19-137. -, ウイルス感染HPからの感染検索と駆除. 15-APR-2004

piyo-co. -, VBS.Redlof.A 07-JUL-2005

Okwave.jp, 検索結果 redlof.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License