VBS. Redlof is written in Visual Basic Script (VBS) and encrypted as VBE (Visual Basic encoded script). On first being run, it creates a file with its executable code in the Windows system directory under the name Kernel.dll.
The virus also creates files under the name kjwall.gif in the System32 and Web directories. The virus also copies itself to all directories on other disks of the infected computer as folder.htt, a file which configures images and folders in MS Explorer.
Replication of the virus
The infected file folder.htt gains control and copies itself to all directories when viewed or opened using MS Explorer. If a directory already contains folder.htt, the directory will not be infected.
The virus writes itself into all HTM files in the Windowsweb directory and by doing so gains control over the following files when they are opened: iejit.htm, offline.htm, related.htm, tip.htm, folder.htm, wum.htm.