The following has been derived from information provided by Network Associates, Panda, Sophos and Symantec.

Virus Characteristics

W32/Redesi.B@MM is a variant of W32/Redesi@MM. This variant poses as a forwarded message from someone you know. The forwarded message is crafted so that it appears to be an authentic security update from Microsoft.

NOTE: The message is not from Microsoft. Microsoft does not send patches or updates by email.

This virus was written in Visual Basic 6 and then compressed using UPX. When this worm is executed it performs the following actions:

It copies itself as:

C:\Common.exe
C:\Rede.exe
C:\Si.exe
C:\UserConf.exe
C:\Disk.exe

It then turns on the hidden attribute of the files. Next, the following message, which is intended give the worm credibility, is displayed :

Your Windows Update has been successful

Next, the worm emails itself to all recipients in the Microsoft Outlook address book. The email message has the following characteristics:

Subject: "FW: Security Update by Microsoft." or
"FW: Microsoft security update." or
"FW: IT departments on state of HIGH ALERT." or
"FW: Important news from Microsoft." or
"FW: Stop terrorists computer viruses reign." or
"FW: Terrorists release computer virus." or
"FW: Emergency response from Microsoft Corp." or
"FW: Terrorist Emergency. Latest virus can wipe disk in minutes." or
"FW: Microsoft Update. Final Release Candidate." or
"FW: New computer virus."


Body:

Just recieved this in my email
I have contacted Microsoft and they say it's real !

-----Original Message-----
From: Microsoft Support Desk [mailto:Support@microsoft.com]
Sent: 17 October 2001 15:21
Subject: Security Update

Due to the recent spate of email spread computer viruses
Microsoft Corp has released a security patch.
Please apply the attached file to your Windows computer
to stop any futher spread or these malicious programs.
Regards
Microsoft Support


Attachments: Common.exe or Rede.exe or Si.exeor UserConf.exeor Disk.exe


Payload

This is a mass-mailing worm which sends itself to all users found in the Microsoft Outlook Address book

This worm creates a registry key value to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Rede="C:\rede.exe"

An additional key is created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
ErrorHandling\Rede="True"

On November 11, 2001 the Autoexec.bat is appended with instructions to format the C: drive:

ECHO Bide ye the Wiccan laws ye must, In perfect love and perfect trust.
format C: /autotest


Preventative Measures

Block messages with the following details at the Internet email gateway where possible:

Subject: "FW: Security Update by Microsoft."
"FW: Microsoft security update."
"FW: IT departments on state of HIGH ALERT."
"FW: Important news from Microsoft."
"FW: Stop terrorists computer viruses reign."
"FW: Terrorists release computer virus."
"FW: Emergency response from Microsoft Corp."
"FW: Terrorist Emergency. Latest virus can wipe disk in minutes."
"FW: Microsoft Update. Final Release Candidate."
"FW: New computer virus."

Attachments: Common.exe, Rede.exe, Si.exe, UserConf.exe, Disk.exe


Fixes Available

Network Associates: Minimum Dat: 4167 (Release Date: 10/24/2001), Minimum Engine: 4.1.50
Symantec: October 19, 2001
Sophos: A virus identity file (IDE) file which provides protection is available now from the latest virus identities section, and will be incorporated into the December 2001 (3.52) release of Sophos Anti-Virus.