Alias:W32/BleBla.a@MM
Type:Worm 
Size:29.184 Bytes 
Origin: 
Date:12-12-2000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:Medium 

DistributionThe worm uses six Polish SMTP servers to spread itself. An email sent by the worm looks like this:
Subject:
Romeo&Juliet
where is my Juliet ?
where is my Romeo ?
Re:
hello world
Matrix has you....
I LOVE YOU :)
from shake-beer
my picture
ble bla, bee
merry christmas
surprise !
Caution: NEW VIRUS !
newborn
hi
last wish ???
lol :)
scandal !
^_^
!!!
,,....´
!!??!?!?

Attachment:
MYJULIET.CHM
MYROMEO.EXE

Technical Details'BleBla' virus (also known as Romeo&Juliet) spreads over the Internet and sends itself by email with two attachments. It proves to be really dangerous, as it becomes active and infects the system right after opening or previewing the email.
First, the worm checks that Windows is installed in C:\%WinDIR%\ directory. When the infected email is opened, Windows runs automatically the file MYJULIET.CHM, which is a compresses HTML site. Then, the script in this HTML runs the file
MYROMEO.EXE.
A version of the worm modifies the registry entry. ROMEO.EXE is copied in \WINDOWS\SYSRNJ.EXE and modifies the entries in the register. It makes the following entry:
HKEY_CLASSES_ROOT\rnjfile\DefaultIcon =%1\shell\open\command =sysrnj.exe "%1" %*
and it changes the following ones:
\.exe =rnjfile
\.jpg = rnjfile
\.jpeg = rnjfile
\.jpe = rnjfile
\.reg = rnjfile
\.arj = rnjfile
\.bmp = rnjfile
\.lha = rnjfile
\.rar = rnjfile
\.gif = rnjfile
\.avi = rnjfile
\.zip = rnjfile
\.mpg = rnjfile
\.mpeg = rnjfile
\.xls = rnjfile
\.doc = rnjfile
\.vqf = rnjfile
\.mp2 = rnjfile
\.mp3 = rnjfile
\.wmf = rnjfile
\.wma = rnjfile
\.wmv = rnjfile
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .