Threat Description

Redesi

Details

Aliases:Redesi, I-Worm.Redesi.a, W32/Redesi-A, Win32.Redesi@mm
Category:Malware
Type:Worm
Platform:W32

Summary



Redesi is a mass mailer e-mail worm. It was written in Visual Basic and the body is compressed with UPX packer. It affects Microsoft Outlook users mostly since it uses MAPI to spread.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The worm comes as an e-mail attachment. The e-mails sent by the worm look like this:

The subject lines are randomly chosen from the following list:

'Kev Gives great orgasms to ladeez!! -- Kev'
 'hell is coming for u, u will be sucked into a bottomless pit!!!  -- Gaz'
 'Scientists have found traces of the HIV virus in cow's milk...here is the proof -- Will'
 'Yay. I caught a fish -- Si'
 'I don't want to write anything but Si is bullying me. -- Jim'
 'Michelle still owes me 10 ... shit ! -- Si'
 'Why have I only got cheese and onion crisps? I hate them !! -- Si'
 'A new type of Lager / Weed variant...... sorted !'
 'My dad not caring about my exam results -- by Michelle'

The attached filename can be 'Common.exe', 'rede.exe', 'Si.exe', 'UserConf.exe' or 'disk.exe'.

When the user opens the attachment the worm drops itself to c:\ with the following names: 'Common.exe', 'rede.exe', 'Si.exe', 'UserConf.exe' or 'disk.exe'. The files have hidden atribute so they are not visible in explorer by default.

After this it sends itself to the e-mail addresses it can find in the user's Outlook address book.

Finally it displays a fake error message to disgiuse the malicious activity.


Variant:Redesi.B (I-Worm.Redesi.b)

This variant of the Redesi worm is based on the same code. It differs from the original one in the subject lines and message body it uses. The messages look like they were forwarded messages from Microsoft Tech Support.

Subjects are chosen from this list:

'FW: Microsoft security update.'
 'FW: Security Update by Microsoft.'
 'FW: IT departments on state of HIGH ALERT.'
 'FW: Terrorists release computer virus.'
 'FW: Emergency response from Microsoft Corp.'
 'FW: Terrorist Emergency. Latest virus can wipe disk in minutes.'
 'FW: Microsoft Update. Final Release Candidate.'
 'FW: New computer virus.'

When it sent the messages it displays a fake message:

Payload

Redesi.b has a destructive payload. When it infects the machine it adds a value to the registry called

'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Rede'

and sets it to 'c:\rede.exe' so the worm will be started at each reboot.

If the date format is set to either dd/mm/yy or mm/dd/yy on 11th of November in 2001 it adds a some code to c:\autoexec.bat that will print a message:

'Bide ye the Wiccan laws ye must, In perfect love and perfect trust.'

This sentence is quoted from "The Complete Idiots Guide to Witchcraft and Wicca"

After this, the worm formats the hard drive after the next reboot.

Removal instructions

All the worm files from c:\ must be removed (see above) together with the modified registry values:

  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Rede'
  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\ErrorHandling\Rede'

F-Secure Anti-Virus with the latest updates can detect the worm.





Technical Details: Gergely Erdelyi and Sami Rautiainen; F-Secure Corp.; 19th October, 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More