After being run, the virus will immediately copy itself to the Windows directory under the alias Kernel.dll. The virus also creates files named kjwall.gif in the System32 and Web Directories. It then drops a core file, folder.htt.
The infected folder will spread the folder.htt to every single retrievable directory on the infected system. The virus then writes itself to the end of HTM files, allowing itself to infect computers when they are opened. It will also infect the following files as they are opened: iejit.htm, offline.htm, related.htm, tip.htm, folder.htm, wum.htm.
Securelist (Kaspersky Labs), Virus.VBS.Redlof.a