VScan for HTML.Redlof.A

VScan is an antivirus tool to remove the infamous HTML.Redlof.A script virus.

HTML.Redlof.A is a polymorphic, encrypted, Visual Basic Script virus that infects .htt, .html, .htm, .asp, .php, .jsp, and .vbs files on all drives. Because the virus infects the Windows Operating System's web-view template file of each folder (folder.htt) that works each time you open a folder, the virus spreads fast and is hard to remove.

Depending on the location of the Windows System folder, the virus copies itself to either %windir%\System\Kernel.dll or %windir%\System\Kernel32.dll. Also, It changes the default association for .dll files, so that the script placed inside the said Kernel.dll or Kernel32.dll will work at the windows startup, completely un-noticed.

The virus infects the mail templates of Microsoft Outlook and Outlook Express in order to spread by e-mail. The virus then manipulates windows registry so that these e-mail programs are forced to use the infected stationery for all new mails.

Also known as

HTML.Redlof.A [Symantec], VBS/Redlof@M [McAfee], VBS.Redlof [AVP], VBS_REDLOF.A [Trend], VBS/Redlof-A [Sophos]

Systems affected

Windows 95 (with Internet Explorer 4.0 or above), Windows 98, Windows Me, Windows NT (with Internet Explorer 4.0 or above), Windows 2000 and Windows XP.

Am I infected?

If you are infected with this virus, you will be having the two files - folder.htt and desktop.ini - in each and every folder that you opened. The files will be having the hidden attribute by default, and so they can be seen only if the 'view all files' option is set in the folder options dialog box (Start > Settings > Folder options).

Also, each time you open a folder, a delay of 2 to 3 seconds will be present due to the execution of the virus script.

To confirm if you have the virus, open the folder.htt file from the Web directory of your windows installation directory (possibly, C:\Windows\Web\folder.htt or C:\WinNT\Web\folder.htt) in notepad and search for KJ_Start(). If such a string is present, you are infected!

Vulnerability

The virus runs on infected systems with un-patched VM ActiveX component vulnerability. Installing patches or the latest version of Microsoft Internet Explorer makes this virus unable to execute or propagate.

Visit the Microsoft Security Bulletin (MS00-075) for patch links and more information on this vulnerability.

More information