Redesi is a mass mailer e-mail worm. It was written in Visual Basic and the body is compressed with UPX packer. It affects Microsoft Outlook users mostly since it uses MAPI to spread.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The worm comes as an e-mail attachment. The e-mails sent by the worm look like this:
The subject lines are randomly chosen from the following list:
'Kev Gives great orgasms to ladeez!! -- Kev' 'hell is coming for u, u will be sucked into a bottomless pit!!! -- Gaz' 'Scientists have found traces of the HIV virus in cow's milk...here is the proof -- Will' 'Yay. I caught a fish -- Si' 'I don't want to write anything but Si is bullying me. -- Jim' 'Michelle still owes me 10 ... shit ! -- Si' 'Why have I only got cheese and onion crisps? I hate them !! -- Si' 'A new type of Lager / Weed variant...... sorted !' 'My dad not caring about my exam results -- by Michelle'
The attached filename can be 'Common.exe', 'rede.exe', 'Si.exe', 'UserConf.exe' or 'disk.exe'.
When the user opens the attachment the worm drops itself to c:\ with the following names: 'Common.exe', 'rede.exe', 'Si.exe', 'UserConf.exe' or 'disk.exe'. The files have hidden atribute so they are not visible in explorer by default.
After this it sends itself to the e-mail addresses it can find in the user's Outlook address book.
Finally it displays a fake error message to disgiuse the malicious activity.
This variant of the Redesi worm is based on the same code. It differs from the original one in the subject lines and message body it uses. The messages look like they were forwarded messages from Microsoft Tech Support.
Subjects are chosen from this list:
'FW: Microsoft security update.' 'FW: Security Update by Microsoft.' 'FW: IT departments on state of HIGH ALERT.' 'FW: Terrorists release computer virus.' 'FW: Emergency response from Microsoft Corp.' 'FW: Terrorist Emergency. Latest virus can wipe disk in minutes.' 'FW: Microsoft Update. Final Release Candidate.' 'FW: New computer virus.'
When it sent the messages it displays a fake message:
Redesi.b has a destructive payload. When it infects the machine it adds a value to the registry called
and sets it to 'c:\rede.exe' so the worm will be started at each reboot.
If the date format is set to either dd/mm/yy or mm/dd/yy on 11th of November in 2001 it adds a some code to c:\autoexec.bat that will print a message:
'Bide ye the Wiccan laws ye must, In perfect love and perfect trust.'
This sentence is quoted from "The Complete Idiots Guide to Witchcraft and Wicca"
After this, the worm formats the hard drive after the next reboot.
All the worm files from c:\ must be removed (see above) together with the modified registry values:
F-Secure Anti-Virus with the latest updates can detect the worm.