Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 18 Nov 2008
Damage: Low

Characteristics: W32.Redlofs is a low risk worm. It infects Windows systems. It spreads by copying itself to hard drives and removable drives. When these drives are connected to another computer, the worm copies itself to those drives to propagate itself.

More details about W32.Redlofs

The worm W32.Redlofs propagates on fixed, network and removable drives by creating a copy of itself using the autorun.inf file. It also modifies various system files to prevent users from cleaning the infection. It uses the standard windows folder icon as its own icon in an attempt to confuse users. It searches for folders and sets them to hidden. It hides files and file extensions by setting the attributes to hidden by default. Afterwards, it copies itself to that location as the following file: [FOLDER NAME].exe. The threat adds the item “Scan for viruses by Bkav2006” to the right-click menu. If the registry editor is opened, the worm may log out of the administrator account. It also adds a flashing pixel rotating around the mouse pointer when the computer is restarted.

The W32.Redlofs application makes some changes on the user’s web browser. This includes changes on the error page, home page and search page. Users may also be redirected to unsolicited websites when a URL (Uniform Resource Locator) is mistyped. The W32.Redlofs software also executes a proxy server on a TCP (Transfer Control Protocol) port. The Trojan program may be controlled by a remote intruder through the open port. Some commands that may be carried out on the affected computer are starting DoS (Denial of Service) attacks, uploading and downloading of unwanted content and removing important files from the user’s computer.