Wind and snow 3.1 edition. Domestic product long-distance control procedure, this 版主 if increased the termination to grasp the screen the function, simultaneously revised grasped when the screen has served the end to be able dissipation system resources BUG.
Becareful Has the HTML.Redlof.A Virii Read More About it Below;
CODE
HTML.Redlof.A is a polymorphic, encrypted, Visual Basic script virus. It infects .html, .htm, .asp, .php, .jsp, and .vbs files on all drives present in the system.
The virus also copies itself to either as Kernel.dll or Kernel32.dll to the windows\system directory, depending on the location of the default Windows System folder . Moreover, it changes the default association for .dll files inside the Windows Registry.
Technical Details
On execution, the virus decrypts its viral body and executes it. Depending on the location of the Windows System folder, the virus copies itself as one of the following:
%windir%\System\Kernel.dll %windir%\System\Kernel32.dll NOTE: This worm copies itself to the Windows installation folder (by default this is C:\Windows in Windows 95/98 or C:\Winnt in Windows NT). This Windows installation folder is denoted by the variable %windir%.
The worm also adds certain entries in the Windows Registry to enable execution of dynamic link library (.dll) files as script files.
In the registry key HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command the virus changes the (Default) value to "%windir%\WScript.exe ""%1"" %*" or "%windir%\System32\WScript.exe ""%1"" %*"
In the registry key HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps the virus changes the (Default) value to {60254CA5-953B-11CF-8C96-00AA00B8708C}
The virus searches for files that have the file extensions .html, .htm, .asp, .php, .jsp, and .vbs in all folders and on all drives, and infects those files.
HTML.Redlof.A spreads by adding itself as the default stationery that is used to create email messages.
It either copies itself to C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm or if that file already exists, it appends itself to the file.
It then sets Outlook Express to use stationery by default. To do this, it sets the value to 1 in the following registry key:
HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\Outlook Express\[Outlook Version].0\Mail\Compose Use Stationery
If the following values do not exist in Windows Registry, they are created with the following values:
The virus changes the value of HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\ Outlook Express\[Outlook Version].0\Mail from Stationery Name to C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
Also, the virus changes the value of HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\ Outlook Express\[Outlook Version].0\Mail\HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\Microsoft\Outlook Express\[Outlook Version].0\Mail from Wide Stationery Name to C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
Removal / Protection
We have provided the solution for this virus in the latest release of Vx2000 Plus.
To remove this virus from the system, follow the procedure given below:
Update Vx2000 Plus to the latest version. Restart the system in safe mode. Scan the system using Vx2000 Plus scanner. Delete all the files reported as infected. While scanning, a file Kernel.dll will be detected in C:\Windows. You may delete this file as it is only a virus file though it sounds like a system file(In Windows NT / 2000 / XP, the Kernel.dll is detected as Kernel32.dll in WINNT/System directory). Open the Windows Registry Editor. Navigate to HKEY_LOCAL_MACHINE\Software\Calsses\Dllfile. Delete all subdirectories (ScriptEngine, ScriptingHostEncode, Shell, ShellEx) other than Defaulticon under Dllfile. Now go to HKEY_LOCAL_MACHINE\Software\Microsoft\Out Express. On the right hand side, delete the entry "Degree" under the Default column, if found. Now go to KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right hand side, delete the entry "Kernel32" under the Default column, if found. Close the Windows Registry Editor. Click on Start and select Find, Files / Folders. Search all loacl drives on your hard drive for Folder.htt and Desktop.ini. Delete all the files found. Empty the Recycle Bin. Restart the system.
Vx2000 Plus Updates
Click here to download the latest VX2000 EXE Update. If you are currently using Vx2000 Rel 5.6.0 load Vx2000 and click on the live update icon to update your system. If you are using any version prior to it then Click here to download the new Live update program and run it. This will update the Vx2000 to the latest version.
Enjoy!
Wkd..
.../
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
