Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Blebla@mm.Worm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 14 Nov 2000 03:00:00
Description created 15 Nov 2000 03:00:00
Description updated 15 Nov 2000 03:00:00
Malware type WORM
Alias W32/Verona
Spreading mechanism EMAIL
Summary None

W32/Blebla@mm.Worm

Spreading

The worm consists of two different files; MyJuliet.chm and MyRomeo.exe. These files are included in the e-mail as regular attachments. However, once the offending mail is opened in Outlook, the files will be saved to disk in the temp folder. The CHM file is run directly, and will in turn start the EXE file.

The MyRomeo.exe is a regular Win32 EXE file, written in Delphi and compressed using the well-known compressor UPX. When run it will access the user's Outlook Address Book and send itself to addresses listed there. The e-mail is sent through one out of six different Polish mail servers.

The mail will arrive with one out of twelve different subjects:


Romeo&Juliet ::)))))) hello world !!??!?!? subject ble bla, bee I Love You ;) sorry... Hey you ! Matrix has you... my picture 'from shake-beer


Variants


W32/Blebla.B

This variant will arrive in email with one of the following subjects:
Romeo&Juliet where is my Juliet ? where is my romeo ? Hi · last wish ??? Lol :) ,,... !!! newborn merry christmas! surprise ! Caution : NEW VIRUS ! Scandal ! ^_^ Re: W32/Blebla.B sends a message to the news group alt.comp.virus.
From: "Romeo&Juliet"
Subject:[Romeo&Juliet] R.i.P.

Upon execution the worm copies itself to c:\windows\sysrnj.exe. It then modifies the Registry to executed itself when any file with one of the extensions mentioned below is opened.

The .B variant of the worm creates a new Registry key

HKEY_CLASSES_ROOT\rnjfile
\DefaultIcon=%1
\shell\open\command=sysrnj.exe "%1"%* and then modifies the following keys so every file with one of these file types will be associated with rnjfile and opened by sysrnj.exe (defined in the abovementioned Registry key). The (Default) value in each of the following keys is changed to rnjfile
HKEY_CLASSES_ROOT
\.exe
\.jpg
\.jpeg
\.jpe
\.bmp
\.gif
\.avi
\.mpg
\.mpeg
\.wmf
\.wma
\.wmv
\.mp3
\.mp2
\.vqf
\.doc
\.xls
\.zip
\.rar
\.lha
\.arj
\.reg


Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11