DESCRIPTION:
The REDLOF infects VBS, HTM,
HTML, ASP, PHP, JSP, and HTT files. It spreads via email and is activated when the email is read.
REMOVAL INSTRUCTIONS:
- 1. Run Vbuster.Exe and delete all infected files.
- 2. Delete all temporary Internet files (Tools/Internet Options for IE5)
- 3. Run REGEDIT and delete the following lines in the Registry:
- HKEY_CURRENT_USER\Identities\(default user ID)\Software\Microsoft\Outlook Express\
5.0\Mail\Compose Use Stationery=??
- HKEY_CURRENT_USER\Identities\(default user ID)\Software\Microsoft\Outlook Express\5.0\Mail\Stationery Name=??
- HKEY_CURRENT_USER\Identities\(default user ID)\Software\Microsoft\Outlook Express\5.0\Mail\Wide Stationery Name=??
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows_Messaging_Subsystem\Profiles\Microsoft_Outlook_Internet_Settings\
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows_NT\CurrentVersion\Windows_Messaging_Subsystem\Profiles\Microsoft_Outlook_Internet_Settings\
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Common\MailSettings\NewStationery\
- 4. Delete the user code for each user:
HKEY_USERS\(user code)\Software\Microsoft\Windows\
- 5. Delete the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\\Windows\CurrentVersion\Run
\Kernel32=??
- 6. Run Vbuster.Exe, press "F1" and then "S" to search for files with
HTT extensions. Delete all files with HTT extensions. Search for
KJWALL.GIF and delete it.
- 7. Click on "Tools/Option",
"Compose" to reset Outlook
- 8. Install the patch from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp
Return Home