Another variation is a lewd message. Both types of Redesi have the potential to cause trouble. Find out how to prevent and remove this worm.
The worm Redesi (W32.Redesi.A, W32.Redesi.B) comes in two variations via email, either as a message about a Microsoft security patch or as a crude prank. Both versions contain a quote from the Wiccan Rede (rede is a Middle English word for story). Redesi can mass-mail email copies of itself and will attempt to reformat the C: drive on November 11, 2001. Fortunately, the worm is not spreading rapidly. Because Redesi has the potential to congest email servers with excess traffic and also reformat the C: drive on some PCs, it ranks a 6 on the ZDNet Virus Meter.
How it works
Redesi arrives as email with a subject line that includes one of the following:
FW: Security Update by Microsoft.
FW: Microsoft security update.
FW: IT departments on state of HIGH ALERT.
FW: Important news from Microsoft.
FW: Stop terrorists computer viruses reign.
FW: Terrorists release computer virus.
FW: Emergency response from Microsoft
FW: Terrorist Emergency. Latest virus can wipe disk in minutes.
FW: Microsoft Update. Final Release Candidate.
FW: New computer virus.
The body text reads:
Just received this in my email. I have contacted Microsoft and they say it's real!
-----Original Message-----
From: Microsoft Support Desk [mailto:Support@microsoft.com]
Sent: 17 October 2001 15:21
Subject: Security Update
Due to the recent spate of email-spread computer viruses, Microsoft has released a security patch. Please apply the attached file to your Windows computer to stop any further spread of these malicious programs.
Regards
Another variation is a bit cruder and includes the following subject lines:
Kev Gives great orgasms to ladeez!! -- Kev hell is coming for u, u will be sucked into a bottomless pit!!! -- Gaz
Scientists have found traces of the HIV virus in cow's milk...here is the proof -- Will
Yay. I caught a fish -- Si
I don't want to write anything but Si is bullying me. -- Jim
I want to live in a wooden house -- Arwel
Michelle still owes me 10 ... shit! -- Si
Why have I only got cheese and onion crisps ? I hate them!! -- Si
A new type of Lager / Weed variant...... sorted!
My dad not caring about my exam results -- by Michelle
The body text for this variation reads: "heh. I tell ya this is nuts! You gotta check it out!"
Attached filenames in either of the two above variations include common.exe, rede.exe, si.exe, userconf.exe, disk.exe.
If a user opens the attached file, Redesi displays a message box stating "Your Windows update has been successful." Or "C:\0\REDESI.exe is not a valid Win32 application."
On November 11, 2001, Redesi will attempt to add the following text to the computer's autoexec.bat:
ECHO Bide ye the Wiccan laws ye must, In perfect love and perfect trust. format C: /autotest so after reboot it will format automatically the drive C. The virus contains the following Unicode strings: When misfortune is enow, wear the blue star on thy brow. True in love ye must ever be, lest thy love be false to thee. These words the Wiccan Rede fulfill: An ye harm none, do what ye will. Rede(c)Si 2001 ... heh, want my phone number too ?!? Sick of all thes 3rd world gits spreading worms. Time for a bit of Welsh stuff :)
Removal
A few antivirus companies have updated their signature files to include Rede. For removal instructions, see Central Command, McAfee, F-Secure, Symantec, or Sophos.
Prevention
Here are the basic steps for containing the latest worm:
1. Download Microsoft's Outlook Security Patch. If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that this patch does not include Outlook Express.
2. Turn off Windows Scripting Host. Recent virus outbreaks have exploited known vulnerabilities in Visual Basic Scripting under Windows. To limit your risk of infection, you should turn off Windows Scripting Host.
3. "Don't open attachments!" One way to prevent virus infections is not to open attachments, especially when viruses such as this virus are being actively circulated. Even if the email is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.
4. Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking your vendors security web site, such as McAfee or Symantec.
5. Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.
6. Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.
7. Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.
Latest News:
'Redesi' worm reformats hard drives
15%
7%
