How to delete VBS.Redlof.B - Removal tool, fix instructions

Name: VBS.Redlof.B

Aliases: Redlof.B, VBS/Redlof.B

Type: Script virus

Size: 14,068 bytes

First appeared on: January 2003

Damage: Redlof.B has no destructive effects. It only purpose is to spread to as many computers as possible.

Redlof.B searches for and infects files with the following extensions: ASP, TML, HTT, HTM, VBS, PHP and JSP.

Brief Description: Redlof is polymorphic virus that embeds itself without any attachment to every e-mail sent from the infected system. It executes when an infected email message is viewed.

To carry out infection, Redlof.B copies its code to HTT files, which are used to view system folders as Web pages. From that moment on, when the affected user opens a folder, they will be running the worm without knowing. This worm also searches for and infects files with the following extensions: ASP, TML, HTT, HTM, VBS, PHP and JSP.

This worm spreads via e-mail very quickly. To do this, it hides its code in the file that serves as stationary for all the messages the affected user sends through the Outlook mail client.

Redlof.B exploits the vulnerability affecting the VM ActiveX component, which allows a virus to be run simply when a web page that contains the viral code is viewed. More information about this vulnerability as well as the corresponding security patch can be found on Microsoft's website.

Visible Symptoms: Redlof.B shows no messages or warnings that indicate its presence on affected computers.

Technical description: Redlof.B creates the following file:

KERNEL.DLL. This is not a dynamic link library, but a file that contains the worm's infection code.

KERNEL.DLL or KERNEL32.DLL (depending on the operating system installed on the system), in the Windows system directiry.

This file tries to pass itself off as a dynamic link library (a file with the DLL extension). However, it is a copy of the worm.
SETUP.TXE, in the directory Windows/ System32 .

This file contains the worm's encrypted code.
INET.VXD, in the directory Windows/ System32.

This file contains the worm's encrypted code.
BLANK.HTM, in the directory Program Files\Common Files\Microsoft Shared\Stationery\. This is a copy of the worm.

Redlof.B creates the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run "Kernel32.dll" C:\ %windir%\ System\

Redlof.B then copies Kernel.dll to computers with Windows ME/98/95 installed and Kernel32.dll to computers with XP/2000/NT instaled.
In this way, Redlof.B ensures it is run every time Windows is started up.
HKEY_CLASSES_ROOT\ dllfile\ shell\ Open\ Command "(Default)"
C:\ %windir%\ %TempPath%\ WScript.exe "%1" %*

Through this entry, the worm ensures the file KERNEL32.DLL that it copied to the system is run. This file is copied to a directory other than that in which the original file KERNEL32.DLL was found. The worm does not overwite the original system file.

To infect the system, Redlof.B carries out the following actions:

It copies its code to HTT files, which are used to view system folders as Web pages. This worm can also infect files with the HTML extension.

From that moment on, when the affected user opens a folder, they will be running the worm without knowing.

Propagation:

Redlof.B uses e-mail to spread. To do this, it hides its code in the file that serves as stationary for all the messages the affected user sends through the Outlook mail client.

Redlof.B exploits the vulnerability affecting the VM ActiveX component, which allows a virus to be run simply when an HTML page that contains the viral code is viewed. More information about this vulnerability a well as the corresponding security patch on Microsoft's website.

Removal tool and instruction: Removal tool is not avalable. This virus is very hard to delete manually. AntivirusWold recommends you to obtain
one of the following antiviruses:

Nevertheless, you can try the instructions below.
Note: These instructions are for experienced users only. Try them at your own risk.

Disabling Web Content

Disable Web Content to prevent this malware from executing further.

  • Open Windows Explorer, right-click start and click Explore.
  • On the Tools menu, select Folder Options.
  • Click on General tab.
  • Under Active Desktop, select Use Windows classic desktop.
  • Under Web View, select Use Windows classic folders. Click Apply.
  • Click on View tab. Under Advanced settings, uncheck Remember each folder's view settings. Click Apply.
  • Click OK.
  • Close Windows Explorer.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup.

  • Open Registry Editor. Click Start>Run, type REGEDIT then press Enter.
  • In the left panel, double-click the following: HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\ CurrentVersion\Run
  • In the right panel, locate and delete the entry: Kernel32 = "%System%\Kernel.dll"

    or

    Kernel32 = "%System%\Kernel32.dll"

    *Where %System% refers to the System folder, which is usually C:\Windows\System (Windows 9x and ME), or C:\WINNT\System32 (Windows NT and 2000), and C:\Windows\System32 (Windows XP).

  • Close the Registry Editor.

Addressing Registry Shell Spawning

Registry shell spawning executes the malware when a user tries to run a DLL file. The following procedures should restore the registry to its original state:

  • Open Registry Editor. Click Start>Run, type REGEDIT.EXE then press Enter.
  • In the left panel, double-click the following:
  • HKEY_CLASSES_ROOT>dllfile>shell>open
  • Still in the left panel, select the "open folder" key by right-clicking its folder icon. Select the Delete command from the pop-up menu.
  • Repeat steps 2 and 3 for the following registry key folders:
  • HKEY_CLASSES_ROOT\dllfile\ScriptEngine
  • HKEY_CLASSES_ROOT\dllfile\shellex
  • HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode
  • Close the Registry Editor.

Restoring Deleted System file

To enable your system to function properly, restore the file
%System%\Kernel32.dll
using your original Windows installation CD or from a reliable backup source.

Applying Patches

The malware runs on infected systems with unpatched VM ActiveX component vulnerability. Visit the Microsoft Security Bulletin (MS00-075) for patch links and more information on this vulnerability.