1. Symantec/
  2. Security Response/
  3. W32.Blebla.B.Worm


Risk Level 1: Very Low

November 30, 2000
February 13, 2007 11:33:08 AM
Also Known As:
I-Worm.Blebla.b [KAV], W32/BleBla.b@MM [McAfee], WORM_BLEBLA.B [Trend], W32/Verona-B [Sophos], Win32.Verona.B [CA]
Systems Affected:

The W32.Blebla.B.Worm is a minor update of the original W32.Blebla worm. The file names have been changed to Xromeo.exe and Xjuliet.chm, perhaps to avoid detection based only on the file names.

W32.Blebla.B.Worm arrives as an email message, with an HTML body and two attachments named Xromeo.exe and Xjuliet.chm. When you read the message, the two attachments are automatically saved and launched. When launched, the worm attempts to send itself to all the names in the Microsoft Outlook address book and post messages to the alt.comp.virus newsgroup. The worm also alters registry keys, so that it is run when certain file types are viewed or executed.

The following files are saved to the hard disk:
  • Xromeo.exe
  • Xjuliet.chm
  • 001.txt
  • 002.txt
  • Sysrnj.exe

If you quarantine the Sysrnj.exe file and then attempt to start the programs, you see the error message, "Windows cannot find Sysrnj.exe. This program is required for opening files of type 'Application'."

Antivirus Protection Dates

  • Initial Rapid Release version November 30, 2000
  • Latest Rapid Release version August 8, 2016 revision 023
  • Initial Daily Certified version November 30, 2000
  • Latest Daily Certified version August 9, 2016 revision 001
  • Initial Weekly Certified release date November 30, 2000
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Peter Ferrie

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube