logo of system protector
  • Home
  • Guides
  • Tips & Tricks
  • Reviews
  • Products
  • Sitemap
  • Contacts

    • Latest in trend:

    » viruses

    W32.Redlofs

    What is W32.Redlofs?

    How does it affect your PC?

    How to remove W32.Redlofs?

     

    What is W32.Redlofs?

    Discovered on 18th November 2008, W32.Redlofs propagates on fixed, network and removable drives by creating a copy of itself via the autorun.inf file. W32.Redlofs can also modify various system files to prevent users from cleaning the infection.

    It uses the standard windows folder icon as its own icon to confuse users.

    The worm also searches for folders and sets them to hidden. It then hides files and file extensions by setting the attributes to hidden by default and then copies itself to that location as the following file: [FOLDER NAME].exe

    The threat adds the following item to the right-click menu: Scan for viruses by Bkav2006.

    The threat may log out of the administrator account if the registry editor is opened.

    It also adds a flashing pixel that rotates around the mouse pointer whenever the computer is restarted.

     

    How does it affect your PC?

    Once executed, the worm copies itself as the following files:

    • %Windir%\10.1.08.exe
    • %Windir%\10.1.08.exe
    • %SystemDrive%\10.1.08.exe

    The worm also creates the following file on all fixed, mapped and removable drives so that it executes whenever the drive is accessed: %SystemDrive%\autorun.inf

    The worm creates the following registry entry, so that it runs every time Windows starts:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"10.1.08" = "C:\WINDOWS\10.1.08.exe hlmrun"

    It modifies the following registry entries, so that it runs every time Windows starts:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe C:\WINDOWS\10.1.08.exe shell"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\10.1.08.exe init"

    The worm creates the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key

    The worm creates the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".key" = "exefile"

    It modifies the following registry entries:

    • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
    • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
    • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" "1"
    • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\"10.1.08" = "C:\WINDOWS\10.1.08.exe hcurun"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".bat" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".cmd" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".com" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".hta" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".js" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".JSE" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".msi" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".pif" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".reg" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".scr" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".VBE" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".vbs" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".WSF" = "exefile"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\".WSH" = "exefile"

    The worm spreads by copying itself to all fixed, mapped and removable drives on the compromised computer.

     

    How to remove W32.Redlofs?

    1. Temporarily Disable System Restore (Windows Me/XP).
    2. Update the virus definitions.
    3. Reboot computer in SafeMode
    4. Run a full system scan and clean/delete all infected file(s)
    5. Delete/Modify any values added to the registry.

    Navigate to and delete the following registry entries:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”10.1.08″ = “C:\WINDOWS\10.1.08.exe hlmrun”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.key” = “exefile”

    Navigate to and delete the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key

    Restore the following registry entries to their previous values, if required:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “Explorer.exe C:\WINDOWS\10.1.08.exe shell”
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “C:\WINDOWS\10.1.08.exe init”
    HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFolderOptions” = “1″
    HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1″
    HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableRegistryTools” “1″
    HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\”10.1.08″ = “C:\WINDOWS\10.1.08.exe hcurun”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.bat” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.cmd” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.com” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.hta” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.js” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.JSE” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.msi” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.pif” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.reg” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.scr” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.VBE” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.vbs” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.WSF” = “exefile”
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\”.WSH” = “exefile”

    6. Exit registry editor and restart the computer.
    7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.