Of course, the virus is not able to run itself automatically from
infected message. It is not able to infect the system when an infected
message is opened and read. To spread the virus the infected EXE
attach has to be extracted and executed. To do exactly the same (to
extract and execute the attached file) the text of message convinces
The virus was not found in-the-wild, but being released it can appear
as a real danger to global computer network because to spread itself
is uses the most popular OS (Windows) and one of most popular e-mail
The length of virus code and data is 4766 bytes. The virus was named
after text strings that present in virus body (they are encrypted in
<<-RED TEAM->> (C) The Soul Manager.
Made in Australia - 06.97.
So, so, Herr Kurtzhals - Is F/Win able to follow The Red Team?
While infecting NewEXE files the virus does not create new segment in
there - it calculates address of code segment, moves the rest of file
down and writes itself to that cave. The virus increases the size of
code segment and as a result stays as a part of legal program's code.
The virus also fixes necessary fields in NE header and relocation
tables. The virus then modifies initial address of entry point, or
patches addresses of system routines in case of KRNL286/386.EXE.
When an infected file is executed under not infected environment, the
virus takes control and looks for Win16 Kernel module (KRNL286.EXE or
KRNL386.EXE). When this file is located, the virus opens and infects
it. The virus does not alter entry point address, it changes addresses
of WINEXEC or INITTASK routines instead. In case of Windows 3.xx the
virus sets new address of WINEXEC routine, in case of Windows95/NT the
virus do the same with INITTASK routine (because Windows95/NT do not
To separate KRNL?86.EXE modules (Windows 3.xx or Windows95/NT) the
virus uses the name if exported CALLPROC32W function, it presents only
in 32-bit Windows95/NT.
The virus then returns control to host program and does not perform
any other actions. As a result being executed for the first time the
virus does not leave any code in system memory - it only infects
Windows' Kernel16 module.
Go memory resident
When Windows is loaded with infected Kernel, the virus stays in the
system memory as a part of Kernel - no special action is necessary to
do that because code of virus is placed in the same code segment as
original Kernel's routines. The virus also does not perform any action
to hook system events because they were already hooked while infection
- address of WINEXEC or INITTASK already points to virus handler.
Under Windows 3.xx the virus hooks WINEXEC, so it infects files that
are executed. The virus does that in quite clever way - it immediately
passes control to original WINEXEC handler and then infects a file in
background, i.e. there is no delay when application are executed under
infected environment. That is quite important for the virus because
usually Windows 3.xx is installed on old slow PC, and delays on
execution may warn a user.
Under Windows95/NT the virus hooks INITTASK, so it intercepts control
when programs are registering themselves in the system. The virus then
with a help of GetExePtr function gets Module Handles for all
NE-application that are active and infects them.
While infecting a file with probability 1/8 (depending on the key that
is used to encrypt text strings) the virus modifies its code so that
this-time infected file will activate a routine that drops infected
E-mail messages to Eudora outbox. When such file is executed in
directory where Eudora databases are placed, the virus opens Eudora
data files: NNDBASE.TOC, OUT.TOC, OUT.MBX. The first file ("Nick names
database") is used by virus to get names of recipients to whom the
virus will send an infected message. The infected message is placed to
OUT.MBX (Outbox database) and necessary references are placed to
The message itself has a subject "Red Team", contains the text and
attached EXE file. The text looks as follows:
Just thought I'd warn you about a destructive new e-mail virus.
Here is some info:
> The "Red Team" virus is a complex new computer virus that spreads via
> the Microsoft Windows operating system, and Internet E-Mail. Although
> it is not the first virus to spread via E-Mail (that was "Good Times"),
> the Red Team virus is unparalelled in its destructive capabilities.
> Further more, the virus is exceedingly common - it has already been
> reported in much of western Europe, the USA, Russia, Australia, and
> Japan. In short, everywhere.
> We at QUEST, have spent several weeks analysing this virus, and are
> proud to anounce that we finally have a cure! The program, named
> "K-RTEAM" (Kill Red Team), can be executed in any Microsoft Windows
> environment, and will reliably detect (and remove if nescessary)
> the Red Team virus from your system buffers.
> Julia Blumin
> QUALCOMM Enterprise Software Technologies
> World Wide Web: http://www.qualcomm.com
The reason I thought I should warn you, is that we recently had a
run in with this beast. Luckily we managed to get a copy of the
excellent 'K-RTEAM' programme before the destruction really started.
Just in case you should suffer the same misfortune, I have included
this programme for you too.
P.S. Make sure you warn all your friends of this new threat!
This text in the virus body is compressed, so the virus decompresses
it before saving to Eudora outbox. The attached EXE file has NE header
and is named as K-RTEAM.EXE ("Kill Red Team"), it has 6351 bytes of
length. It is infected do-nothing program (the virus creates it on C:
drive - C:\K-RTEAM.EXE) that only spreads the virus on computer. At
the header and end of this file there are the text strings:
K-RTEAM - Red Team Anti-Virus
Red Team Virus Found!
Could not Remove Virus!
The virus does not send messages twice from the same infected
computer. To do that the virus creates the RTBASE.TOC file while
sending infected messages. Next time the virus will look for that file
and terminate E-mail infection routine, if this file presents in
The virus replicates itself under Windows 3.xx and had no side effects
during experiments in lab - all files were infected correctly, the
programs were not corrupted and Windows did not display any
The virus also stored its dropper in Eudora outbox with no problems.
The infected messages (with non viral attach, of course) then were
sent via Internet and correctly received.
Under Windows95/NT the virus has a problem - it cannot infect
KRNL386.EXE and as a result cannot install itself memory resident. The
bug is quite stupid - the virus reserves Word (DW) for variable "NE
Header Offset", but uses it as DoubleWord (DD). The second Word of
that DoubleWord is Windows version flag: 0 if Windows3.xx, FFFFh if
Windows95/NT. So under Windows95/NT the virus gets wrong value from
Despite on this the files that were infected under Windows 3.xx do
work under Windows95/NT without any problem and may infect Eudora
database as well as under Windows 3.xx. Moreover, that stupid bug may
be easily fixed and Windows95 compatible version might be released by
Note: There exists a VCL variant (VCL.716) which is detected as VCL.Redteam
by some scanners. It has nothing to do with this virus.
[Analysis by Eugene Kaspersky, AVP]