Redesi is a mass mailer e-mail worm. It was written in Visual Basic and the body is compressed with UPX packer. It affects Microsoft Outlook users mostly since it uses MAPI to spread.
Disinfection & Removal
The worm comes as an e-mail attachment. The e-mails sent by the worm look like this:
The subject lines are randomly chosen from the following list:
'Kev Gives great orgasms to ladeez!! -- Kev' 'hell is coming for u, u will be sucked into a bottomless pit!!! -- Gaz' 'Scientists have found traces of the HIV virus in cow's milk...here is the proof -- Will' 'Yay. I caught a fish -- Si' 'I don't want to write anything but Si is bullying me. -- Jim' 'Michelle still owes me 10 ... shit ! -- Si' 'Why have I only got cheese and onion crisps? I hate them !! -- Si' 'A new type of Lager / Weed variant...... sorted !' 'My dad not caring about my exam results -- by Michelle'
The attached filename can be 'Common.exe', 'rede.exe', 'Si.exe', 'UserConf.exe' or 'disk.exe'.
When the user opens the attachment the worm drops itself to c:\ with the following names: 'Common.exe', 'rede.exe', 'Si.exe', 'UserConf.exe' or 'disk.exe'. The files have hidden atribute so they are not visible in explorer by default.
After this it sends itself to the e-mail addresses it can find in the user's Outlook address book.
Finally it displays a fake error message to disgiuse the malicious activity.
This variant of the Redesi worm is based on the same code. It differs from the original one in the subject lines and message body it uses. The messages look like they were forwarded messages from Microsoft Tech Support.
Subjects are chosen from this list:
'FW: Microsoft security update.' 'FW: Security Update by Microsoft.' 'FW: IT departments on state of HIGH ALERT.' 'FW: Terrorists release computer virus.' 'FW: Emergency response from Microsoft Corp.' 'FW: Terrorist Emergency. Latest virus can wipe disk in minutes.' 'FW: Microsoft Update. Final Release Candidate.' 'FW: New computer virus.'
When it sent the messages it displays a fake message:
Redesi.b has a destructive payload. When it infects the machine it adds a value to the registry called
and sets it to 'c:\rede.exe' so the worm will be started at each reboot.
If the date format is set to either dd/mm/yy or mm/dd/yy on 11th of November in 2001 it adds a some code to c:\autoexec.bat that will print a message:
'Bide ye the Wiccan laws ye must, In perfect love and perfect trust.'
This sentence is quoted from "The Complete Idiots Guide to Witchcraft and Wicca"
After this, the worm formats the hard drive after the next reboot.
All the worm files from c:\ must be removed (see above) together with the modified registry values:
F-Secure Anti-Virus with the latest updates can detect the worm.
Technical Details: Gergely Erdelyi and Sami Rautiainen; F-Secure Corp.; 19th October, 2001