Beware of the Bogus Patches

17 Oct 2001
Virus News

"Redesi" worm disguises itself as a security patch for Microsoft products

Kaspersky Lab, an international data-security software developer, reports the detection of a dangerous new Internet-worm "Redesi" that spreads via e-mail and disguises its malicious intentions as a security patch for Microsoft products.

At this time, Kaspersky Lab has discovered two modifications of the worm, differentiated only by the distributed e-mails' "subjects" and message body.

Redesi.a:

Subject is randomly selected from the following list:

FW: Microsoft security update.
FW: Security Update by Microsoft.
FW: IT departments on state of HIGH ALERT.
FW: Important news from Microsoft.
FW: Stop terrorists computer viruses reign.
FW: Terrorists release computer virus.
FW: Emergency response from Microsoft Corp.
FW: Terrorist Emergency. Latest virus can wipe disk in minutes.
FW: Microsoft Update. Final Release Candidate.
FW: New computer virus.

Message body:
Just recieved this in my email
I have contacted Microsoft and they say it's real !

-----Original Message-----
From: Microsoft Support Desk [mailto:Support@microsoft.com]
Sent: 17 October 2001 15:21
Subject: Security Update

Due to the recent spate of email spread computer viruses Microsoft Corp has released a security patch. Please apply the attached file to your Windows computer to stop any futher spread or these malicious programs.
Regards
Microsoft Support

Redesi.b

Subject is randomly selected from the following list:

Kev Gives great orgasms to ladeez!! - Kev
hell is coming for u, u will be sucked into a bottomless pit!!! - Gaz
Scientists have found traces of the HIV virus in cows milk...here is the proof - Will
Yay. I caught a fish - Six
I don't want to write anything but Si is bullying me. - Jim
I want to live in a wooden house - Arwel
Michelle still owes me �10 ... shit ! - Si
Why have I only got cheese and onion crisps? I hate them !! - Si
A new type of Lager / Weed variant...... sorted !
My dad not caring about my exam results - by Michelle

Message body:
heh. I tell ya this is nuts ! You gotta check it out !

Name of the attached infected file is randomly selected from the following list:

Si.exe
ReDe.exe
Disk.exe
Common.exe
UserConf.exe

Upon executing the attached file, the worm initiates the infection routine, and penetrates the target computer. Then it gains access to Microsoft Outlook, and sends via this route all its copies to all the recipients from Outlook address book.

On November 11, 2001, "Redesi" activates its payload routine, and destroys all data on disk C: of the infected computer. To complete this task, the worm writes a command to an AUTOEXEC.BAT file that launches disk formatting. This command is executed upon the next computer start up. It is necessary to emphasize that the payload routine can be activated only on computers having short-system date according to the following formats: "dd/mm/yy" or "mm/dd/yy".

Defense procedures thwarting "Redesi" have already been added to the Kaspersky Anti-Virus database update.

A more detailed description of the worm is available in the Kaspersky Virus Encyclopedia.