W32.Blebla.B.Worm

The W32.Blebla.B.Worm is a minor update of the original W32.Blebla worm. The file names have been changed to Xromeo.exe and Xjuliet.chm, perhaps to avoid detection based only on the file names.

W32.Blebla.B.Worm arrives as an email message, with an HTML body and two attachments named Xromeo.exe and Xjuliet.chm. When you read the message, the two attachments are automatically saved and launched. When launched, the worm attempts to send itself to all the names in the Microsoft Outlook address book and post messages to the alt.comp.virus newsgroup. The worm also alters registry keys, so that it is run when certain file types are viewed or executed.

The following files are saved to the hard disk:

• Xromeo.exe
• Xjuliet.chm
• 001.txt
• 002.txt
• Sysrnj.exe

If you quarantine the Sysrnj.exe file and then attempt to start the programs, you see the error message, "Windows cannot find Sysrnj.exe. This program is required for opening files of type 'Application'."