dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1052

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

VBS_REDLOF.A


FYI:
Had two people thast got hit with this thing tonight...first I had seen it in the US.

VBS_REDLOF.A

Overview Technical Details

Quick Links
Details In the wild: Yes

Payload 1: Deletes Files and overwrites the startup file

Trigger condition 1: Upon execution

Discovered: Apr. 30, 2002

Detection available: Apr. 30, 2002

For Protection: Pattern File 273
Scan Engine 5.200

Language: English

Platform: Windows

Encrypted: Yes

Size of virus: ~11,500 Bytes

Details:
This Visual Basic Script arrives in encrypted form. When a user loads infected HTML files, the virus hooks the onload event and runs the KJ_start() function. Upon execution, this VBScript virus decrypts itself, then checks the source of its host whether it is HTML or VBS to initialize its variables properly.

It checks if WSCRIPT.EXE can be found in the Windows folder. If it finds it, it creates a copy of itself in the Windows System directory as KERNEL.DLL. It then adds this registry entry so that it executes at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Kernel32 = ”%System%\Kernel.dll”

If it does not locate WSCRIPT.EXE, it overwrites
%System%\Kernel32.dll
thus preventing the system from functioning.

The virus also spreads through email messages by infecting the stationery file located in Program Files\Common Files\Microsoft Shared\Stationery\blank.htm. The virus also enables the option in Microsoft Outlook Express to use stationery, thus infecting email messages and spreading copies of itself.

The virus then enumerates through the disk drives searching for VBS, HTML, HTM, ASP, PHP, JSP and HTT files to infect.

The virus also creates registry entries to associate itself with DLL files, allowing the virus codes to be executed when a user opens a DLL file. The created entries are as follows:

HKEY_CLASSES_ROOT\dllfile\Shell\
Open\Command
”(default)=%Windir%\WScript.exe "%1" %*"

HKEY_CLASSES_ROOT\dllfile\ScriptEngine
”(default)=VBScript"

HKEY_CLASSES_ROOT\dllfile\ShellEx\
PropertySheetHandlers\WSHProps
”(default)={60254CA5-953B-11CF-8C96-00AA00B8708C}"

HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode
”(default)={85131631-480C-11D2-B1F9-00C04F86C324}"

Despite the complexity of the script virus and its access to file systems, installing patches or the latest version of Microsoft Internet Explorer makes the virus unable to execute or propagate.

The latest security patches for Internet Explorer can be acquired on this URL:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-047.asp

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_REDLOF.A&VSect=T

sashwa
Mod
join:2001-01-29
Alcatraz
446.4 4.0

sashwa

Mod

said by Name Game:

The latest security patches for Internet Explorer can be acquired on this URL:
»www.microsoft.com/techne ··· -047.asp
That link says the Affected Software is Microsoft Internet Explorer 5.01, Microsoft Internet Explorer 5.5 and Microsoft Internet Explorer 6.0. Does that mean if I have IE 6 SP1, I don't need the patch???

Also, if I should download the patch I have another question...I have renamed my vnbt.386 file to vnbt.old...should I rename it back the original name before downloading the patch???

TIA,
sash

dvd536
as Mr. Pink as they come
Premium Member
join:2001-04-27
Phoenix, AZ

dvd536 to Name Game

Premium Member

to Name Game
how does the virus overwrite kernel32.dll without getting a file in use by windows error? a script cant get ring zero can it?

sashwa
Mod
join:2001-01-29
Alcatraz

sashwa

Mod

*bump*

dvd536
as Mr. Pink as they come
Premium Member
join:2001-04-27
Phoenix, AZ

dvd536

Premium Member

said by sashwa:
*bump*
;) *nudge*

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Nudge ME ..I do not have a copy of it to give you guys..but you can go here and read about it...or ask Trend..seems they are also cleaning it off with house call for people over in other countries.

»www.trendmicro.com/vinfo ··· REDLOF.A
Name Game

Name Game

Premium Member

In Asia, right now, it is now number 5 out of the top Ten in that area.

»wtc.trendmicro.com/wtc/

BigCountry4
join:2002-09-21
Huntington, WV

BigCountry4 to dvd536

Member

to dvd536
said by dvd536:
how does the virus overwrite kernel32.dll without getting a file in use by windows error? a script cant get ring zero can it?
Best guess is it replaces the .dll during or before boot up, I would guess the virus overwrites, what it can in windows, then writes to the registry, and either forces a reboot, or waits for the user to reboot, then it would overwrite any file it couldn't in windows.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Description:
This polymorphic Visual Basic Script (VBScript) virus infects the following files on target systems:

VBS
HTML
HTM
ASP
PHP
JSP
HTT
To spread copies of itself, it infects the stationery file (HTML) of Microsoft Outlook Express and enabling the option, such that outgoing email messages are infected.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

For Users of Trend Micro Products
Download the Trend Micro System Cleaner Patch to effectively remove this malware from your system using your Trend Micro product.

For Non-users of Trend Micro Products

Download and run the Trend Micro System Cleaner Package. If you have an MD5 signature checker, the MD5 hash value of this tool is 991D3855C176E554ABAEE3D279753C17.
Trend Micro advises users to consult the readme file, readme_sysclean.txt, which contains the description and features of this package.
NOTE: Non-users of Trend Micro products must download and use the latest pattern file for the TSC package to be effective.

MANUAL REMOVAL INSTRUCTIONS

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup.

Open Registry Editor. Click Start>Run, type REGEDIT then press the Enter.
In the left panel, double-click the following: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run

In the right panel, locate and delete the entry:
Kernel32=”%System%\Kernel.dll” *Where %System% refers System folder, which usually located in %Windows%\System (Windows 9x/ME)or %Windows%\System32 (Windows NT/2000).
Close the Registry Editor.
Addressing Registry Shell Spawning

Registry shell spawning executes the malware when a user tries to run a DLL file. The following procedures should restore the registry to its original state:

Open Registry Editor. Click Start>Run, type REGEDIT.EXE then press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>dllfile>shell>open
Still in the left panel, select the “open folder” key by right-clicking its folder icon. Select the Delete command from the pop-up menu.
Repeat steps 2 and 3 for the following registry key folders:
HKEY_CLASSES_ROOT\dllfile\ScriptEngine
HKEY_CLASSES_ROOT\dllfile\shellex
HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode
Close the Registry editor.
Restoring Deleted System file

To enable your system to function properly, restore the file
%System%\Kernel32.dll
using your original Windows installation CD or from a reliable backup source.

sashwa
Mod
join:2001-01-29
Alcatraz
446.4 4.0

sashwa to Name Game

Mod

to Name Game
said by ]said by Name Game :
--------------------------------------------------------------------------------

The latest security patches for Internet Explorer can be acquired on this URL:
»www.microsoft.com/technet/treeview/def..[?:


--------------------------------------------------------------------------------

That link says the Affected Software is Microsoft Internet Explorer 5.01, Microsoft Internet Explorer 5.5 and Microsoft Internet Explorer 6.0. Does that mean if I have IE 6 SP1, I don't need the patch???

Also, if I should download the patch I have another question...I have renamed my vnbt.386 file to vnbt.old...should I rename it back the original name before downloading the patch???

TIA,
sash

Hi Name Game...you still haven't answered my original question about the Microsoft patch for this. And if I would need to rename my vnbt.0ld file back to vnbt.386 if I need to apply that patch to my IE 6 SP1.

TIA,
sash

ps...I don't have the virus but want to make sure I am protected from it

BigCountry4
join:2002-09-21
Huntington, WV

BigCountry4

Member

Here is you answer, you don't need it.

Inclusion in future service packs:

The fixes for these issues will be included in IE 6.0 Service Pack 1.
The fixes for the issues affecting IE 5.01 Service Pack 2 and Service Pack 3 will be included in Windows 2000 Service Pack 4.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Hi Name Game...you still haven't answered my original question about the Microsoft patch for this. And if I would need to rename my vnbt.0ld file back to vnbt.386 if I need to apply that patch to my IE 6 SP1.

TIA,
sash

Only because that trick to rename the vnbt was never my bag..would never recommend it...I figure everyone gets all the regular patches offered by M$ in any case ...and if you have IE 6 SP1 I have no idea if you need the patch..sorry... I do not even like SP1..but maybe someone else can tell you.

sashwa
Mod
join:2001-01-29
Alcatraz
446.4 4.0

sashwa to Name Game

Mod

to Name Game
Thanks BigCountry for your reply. I didn't see the inclusion part of that Security Bulletin. Guess my brain was napping when I read the bulletin that Name Game posted.

Thanks Name Game for responding. And I just wanted to let you know that I appreciate your informative posts.

sash

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

I would have thought you were protected..but why do you do that vnbt thing??

sashwa
Mod
join:2001-01-29
Alcatraz
446.4 4.0

sashwa to Name Game

Mod

to Name Game
I am some what protected. I run Norton Anti Virus 2002 which I keep updated but I don't have a firewall. I have it auto-run and scan email incoming and outgoing and it has saved my tush a couple of times. I tried doing the NetBeui thing to close my ports but it messed up my OE when sending mail with stationery and it messed with my Norton also for some reason plus I noticed my computer was not running as well as it should...ie..losing sync and stuff like that. I don't use NetBios on my machine and I don't file share so I tried Mark Jansson's tip about changing your vnbt.386 file to vnbt.old. Now my ports show close and things run okay. I just don't know if I need to change the vnbt file back to its original name when I download programs or critical updates or stuff like that. BTW, I'm running Win98SE fully patched as far as I know.

sash