Classification

Category: Malware

Type: -

Aliases: Redesi, I-Worm.Redesi.a, W32/Redesi-A, Win32.Redesi@mm

Summary


Redesi is a mass mailer email worm. It was written in Visual Basic and the body is compressed with UPX packer. It affects Microsoft Outlook users mostly since it uses MAPI to spread.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm comes as an email attachment. The emails sent by the worm look like this:

The subject lines are randomly chosen from the following list:

'Kev Gives great orgasms to ladeez!! -- Kev'
'hell is coming for u, u will be sucked into a bottomless pit!!!
-- Gaz'
'Scientists have found traces of the HIV virus in cow's milk...here is the proof -- Will'
'Yay. I caught a fish -- Si'
'I don't want to write anything but Si is bullying me. -- Jim'
'Michelle still owes me 10 ... shit ! -- Si'
'Why have I only got cheese and onion crisps? I hate them !! -- Si'
'A new type of Lager / Weed variant...... sorted !'
'My dad not caring about my exam results -- by Michelle'

The attached filename can be 'Common.exe', 'rede.exe', 'Si.exe', 'UserConf.exe' or 'disk.exe'.

When the user opens the attachment the worm drops itself to c:\ with the following names: 'Common.exe', 'rede.exe', 'Si.exe', 'UserConf.exe' or 'disk.exe'. The files have hidden atribute so they are not visible in explorer by default.

After this it sends itself to the email addresses it can find in the user's Outlook address book.

Finally it displays a fake error message to disgiuse the malicious activity.


Variant:Redesi.B (I-Worm.Redesi.b)

This variant of the Redesi worm is based on the same code. It differs from the original one in the subject lines and message body it uses. The messages look like they were forwarded messages from Microsoft Tech Support.

Subjects are chosen from this list:

'FW: Microsoft security update.'
'FW: Security Update by Microsoft.'
'FW: IT departments on state of HIGH ALERT.'
'FW: Terrorists release computer virus.'
'FW: Emergency response from Microsoft Corp.'
'FW: Terrorist Emergency. Latest virus can wipe disk in minutes.'
'FW: Microsoft Update. Final Release Candidate.'
'FW: New computer virus.'

When it sent the messages it displays a fake message:

Payload

Redesi.b has a destructive payload. When it infects the machine it adds a value to the registry called

'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Rede'

and sets it to 'c:\rede.exe' so the worm will be started at each reboot.

If the date format is set to either dd/mm/yy or mm/dd/yy on 11th of November in 2001 it adds a some code to c:\autoexec.bat that will print a message:

'Bide ye the Wiccan laws ye must, In perfect love and perfect trust.'

This sentence is quoted from "The Complete Idiots Guide to Witchcraft and Wicca"

After this, the worm formats the hard drive after the next reboot.

Removal instructions

All the worm files from c:\ must be removed (see above) together with the modified registry values:

  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Rede'
  • 'HKLM\Software\Microsoft\Windows\CurrentVersion\ErrorHandling\Rede'

F-Secure Anti-Virus with the latest updates can detect the worm.