Aliases: Win32.HLLM.Redesi.47616, Worm/Redesi.E3, I-Worm.Redesi.c

Win32/Redesi.C is a worm written in Visual Basic.  It is compressed and its file-size is 14346 bytes but after unpacking it is increased to approximately 57344 bytes.  The worm operates in the environment of the Windows operating system and spreads by means of email messages.
The worm arrives as a file in an attachment of an email message.  The subject of the message is one of the following:

FW: Windows at Risk.
FW: Buffer overflow could cause IT meltdown.
FW: Insufficient bounds chcecking cause buffer over run.
FW: Executable stack could cost IT sector millions.
FW: Invalid instruction causes AX and BX registers to differ.
FW: Terrorists release computer virus.
FW: Microsoft and C.E.R.T Corobaration
FW: Terrorist Emergency. Latest worm can erase data on first bootable disk
FW: Microsoft Update. Final Release Candidat
FW: Redesi worm. MAPI update..

The message body is formed using the following text:

those passwords you asked for and a fowarded message from microsoft that I thought you might find interesting
-----Original Message-----
From: Microsoft Security List [mailto:security@microsoft.com]
Sent: 19 October 2001 22:14
Subject: Buffer overflow

Dear Subscriber

Due to insufficient bounds checking in the Windows Messaging API
any value stores in the AX and BX registers (and their register halves any XOR (compare) operation against these to registers or the h and l register halfs will always return and value of 1, causing the JNE instruction to execute.
We consider this a HIGH RISK vulnerability, and any computer hacker having any knowledge of the assembly language could write a working egg to exploit this flaw.

It is highly advised that you install the attached MAPI update to stop any subsequent security breach.

Regards
Microsoft Support

The attachment contains the file with the worm.  After the worm-file is run the files Common.exe, disksync.exe, MAPI.exe, Sysupdate.exe, UserConf.exe  are created in the root directory of drive C:.  The worm creates the registry key "Rede" with the value "C:\rede.exe" in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 

Doing this the worm ensures its re-activation after the system is started.  In registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ErrorHandling it creates the item Rede with the value "True".
To spread the worm needs Microsoft Outlook.  If this client is present Win32/Redesi.C sends out its copies to all addresses found in Outlook's contacts.  After terminating its activity the worm displays the following message:
On November 11th 2001 it creates the file C:\autoexec.bat which after the next system restart displays the text Bide ye the Wiccan laws ye must, In perfect love and perfect trust. and formats drive C:.
If the IRC client mIRC is installed on the infected computer the worm modifies the file script.ini so that mIRC will be sending through /mgs the text:

Dear User. Please apply the following patch that witll protect you from UDP flooding. If you are running a Linux IRC client this update is not needed due to kernel filtering. Regards. Dalnet / Undernet staff.

Afterwards, the worm offers the file C:\mirc\IRCUpdate.exe containing its copy for download by means of DCC.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.