Discovered: November 30, 2000
Updated: February 13, 2007 11:33:08 AM
Also Known As: I-Worm.Blebla.b [KAV], W32/BleBla.b@MM [McAfee], WORM_BLEBLA.B [Trend], W32/Verona-B [Sophos], Win32.Verona.B [CA]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
The W32.Blebla.B.Worm is a minor update of the original W32.Blebla worm. The file names have been changed to Xromeo.exe and Xjuliet.chm, perhaps to avoid detection based only on the file names.
W32.Blebla.B.Worm arrives as an email message, with an HTML body and two attachments named Xromeo.exe and Xjuliet.chm. When you read the message, the two attachments are automatically saved and launched. When launched, the worm attempts to send itself to all the names in the Microsoft Outlook address book and post messages to the alt.comp.virus newsgroup. The worm also alters registry keys, so that it is run when certain file types are viewed or executed.
The following files are saved to the hard disk:
- Xromeo.exe
- Xjuliet.chm
- 001.txt
- 002.txt
- Sysrnj.exe
If you quarantine the Sysrnj.exe file and then attempt to start the programs, you see the error message, "Windows cannot find Sysrnj.exe. This program is required for opening files of type 'Application'."
Protection
-
Initial Rapid Release version November 30, 2000
-
Latest Rapid Release version March 25, 2008 revision 018
-
Initial Daily Certified version November 30, 2000
-
Latest Daily Certified version March 25, 2008 revision 022
-
Initial Weekly Certified release date November 30, 2000
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Medium
-
Number of Infections: 50 - 999
-
Number of Sites: More than 10
-
Geographical Distribution: Low
-
Threat Containment: Easy
-
Removal: Difficult
Damage
Distribution
Writeup By: Peter Ferrie
