W32.Blebla.B.Worm

The W32.Blebla.B.Worm is a minor update of the original W32.Blebla worm. The file names have been changed to Xromeo.exe and Xjuliet.chm, perhaps to avoid detection based only on the file names.

W32.Blebla.B.Worm arrives as an email message, with an HTML body and two attachments named Xromeo.exe and Xjuliet.chm. When you read the message, the two attachments are automatically saved and launched. When launched, the worm attempts to send itself to all the names in the Microsoft Outlook address book and post messages to the alt.comp.virus newsgroup. The worm also alters registry keys, so that it is run when certain file types are viewed or executed.

The following files are saved to the hard disk:

• Xromeo.exe
• Xjuliet.chm
• 001.txt
• 002.txt
• Sysrnj.exe

If you quarantine the Sysrnj.exe file and then attempt to start the programs, you see the error message, "Windows cannot find Sysrnj.exe. This program is required for opening files of type 'Application'."

Protection

• Initial Rapid Release version November 30, 2000
• Latest Rapid Release version September 21, 2009 revision 034
• Initial Daily Certified version November 30, 2000
• Latest Daily Certified version September 21, 2009 revision 040
• Initial Weekly Certified release date November 30, 2000

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: 50 - 999
• Number of Sites: More than 10
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Difficult

Damage

• Damage Level: Medium

Distribution

• Distribution Level: Low