search
close

VBS_REDLOF.A-11

July 13, 2017
 Analysis by: Michael Jay Villanueva
 ALIASES:

Virus: VBS/Redlof.A (Microsoft)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via software vulnerabilities, Propagates via email


This Visual Basic Script (VBScript) arrives in an encrypted form. It spreads by infecting files, via email, and by exploiting a specific vulnerability.

This File infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It takes advantage of unknown vulnerabilities in a certain software to propagate across networks.

It does not have any backdoor routine.

  TECHNICAL DETAILS

File Size:

14,707 bytes

File Type:

HTML, HTM, Script

Memory Resident:

No

Initial Samples Received Date:

11 Jul 2017

Payload:

Infects files, deletes files

Arrival Details

This File infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This File infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Kernel32 = "%Windows%\System\Kernel.dll"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Kernel32 = "%Windows%\System\Kernel32.dll"

File Infection

This File infector infects the following file types in shared networks to ensure its propagation:

  • VBS
  • HTML
  • HTM
  • ASP
  • PHP
  • JSP
  • HTT

Propagation

This File infector takes advantage of unknown vulnerabilities in the following software to propagate across networks:

Backdoor Routine

This File infector does not have any backdoor routine.

NOTES:

This Visual Basic Script (VBScript) arrives in an encrypted form. When a user loads infected HTML files, it hooks the OnLoad event and runs the KJ_start() function.

Upon execution, it decrypts its code. It then checks the source of its host, whether it is HTML or VBS, in order to initialize its variables.

It also checks if a file named WSCRIPT.EXE is found in the Windows folder. If it finds the said file, it creates a copy of itself in the default Windows system folder as KERNEL.DLL.

If the file WSCRIPT.EXE is not found in the Windows folder, it then drops a copy of itself as KERNEL32.DLL in the folder %Windows%\System, which is hardcoded in its code. The said routine results in the overwriting of the legitimate file KERNEL32.DLL on Windows 98 and ME, provided that the said file is not running when this VBScript executes.

This VBScript creates the following registry entries to allow its codes to execute when a user opens a .DLL file:

HKEY_CLASSES_ROOT\dllfile\shell\open\command Default = "%System%\WScript.exe "%1" %*" (Note: If dropped copy is "%Windows%\System\Kernel32.dll")

HKEY_CLASSES_ROOT\dllfile\shell\open\command Default = "%Windows%\WScript.exe "%1" %*" (Note: If dropped copy is "%Windows%\System\Kernel.dll")

HKEY_CLASSES_ROOT\dllfile\ScriptEngine Default = "VBScript"

HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHandlers\WSHProps Default = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"

HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode Default = "{85131631-480C-11D2-B1F9-00C04F86C324}"

In its file infection routine, it appends an encrypted version of itself, as well as an additional function called KJ_start() when viewed via an editor program. This VBScript specifically infects the file FOLDER.HTT, which is located in the %Windows%\Web folder. It saves the original content of the said file as KJWALL.GIF in in the same folder.

This VBScript attempts to spread through email messages by infecting the stationery file BLANK.HTM located in the %Program Files%\Common Files\Microsoft Shared\Stationery folder.

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It also enables an option in Microsoft Outlook Express, which allows the infected file BLANK.HTM to be used. Thus, this VBScript may spread through outgoing email messages, which may become infected.

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

12.158.06

FIRST VSAPI PATTERN DATE:

18 Nov 2015

VSAPI OPR PATTERN File:

12.159.00

VSAPI OPR PATTERN Date:

19 Nov 2015

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • Kernel32 = "%Windows%\System\Kernel.dll"
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • Kernel32 = "%Windows%\System\Kernel32.dll"
  • In HKEY_CLASSES_ROOT\dllfile\shell\open\command
    • Default = "%System%\WScript.exe "%1" %*"
  • In HKEY_CLASSES_ROOT\dllfile\shell\open\command
    • Default = "%Windows%\WScript.exe "%1" %*"
  • In HKEY_CLASSES_ROOT\dllfile\ScriptEngine
    • Default = "VBScript"
  • In HKEY_CLASSES_ROOT\dllfile\ShellEx\,br> PropertySheetHandlers\WSHProps
    • Default = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"
  • In HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode
    • Default = "{85131631-480C-11D2-B1F9-00C04F86C324}"

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as VBS_REDLOF.A-11. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 6

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %System%\Kernel32.dll

Step 7

Download and apply this security patch Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.

Step 8

Scan your computer with your Trend Micro product to delete files detected as VBS_REDLOF.A-11. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.