The worm arrives as an email message, with an HTML body and two attachments named Xromeo.exe and Xjuliet.chm. The subject of the email is randomly selected from the following set:
- where is my juliet ?
- where is my romeo ?
- last wish ???
- lol :)
- merry christmas!
- surprise !
- Caution: NEW VIRUS !
- scandal !
This worm should run only under Windows 95/98/Me/2000 systems that have not had applied available Microsoft security updates. It does not run under Windows NT. There have been unconfirmed reports that the worm has been found on computers running Windows XP. The version of Internet Explorer that comes with this operating systems should already have all the required Microsoft security patches. If you think your Windows XP computer is infected with this worm, follow the instructions in the "Removal" section later in the writeup.
The HTML component in the message causes the attachments to be saved in the \Windows\Temp folder and launches the Xjuliet.chm file. Then, this file launches the Xromeo.exe file, which is the mass-mailer component of the worm.
The Xromeo.exe file attempts to terminate the HH.exe process to hide its activity. Then, the virus queries the Outlook Address Book and tries to propagate itself using several different mail servers with these IP addresses:
The virus has its own email engine. It connects to one of the above servers and tries to send its email message with the MIME-encoded attachments. Then, the virus alters the following registry keys to point to a file called Sysrnj.exe in the Windows directory:
When a file with any of these extensions is launched, the worm will move the file into C:\Recycled under a random file name and replace the original file with itself, adding .exe to the suffix. For example, song.mp3 will become song.mp3.exe, and this file will be the worm. The original file is not executed.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":