Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Alias:I-Worm.Blebla.b [KAV], W32/BleBla.b@MM [McAfee], WORM_BLEBLA.B [Trend], W32/Verona-B [Sophos], Win32.Verona.B [CA]
Type:Worm 
Size: 
Origin: 
Date:00-00-0000 
Damage:Sent by email, spreads on servers. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionThe email sent by the worm looks like below:

Subject:
Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^
Re:

Attachment:
Xromeo.exe
Xjuliet.chm

IWorm.BleBla.3 uses its own SMTP engine. It tries to spread through various mailservers, using the following IP addresses: 195.117.117.6 212.244.197.164 195.205.96.185 195.116.104.14 195.117.3.111 195.116.221.65 212.244.67.20 194.181.138.141 195.205.121.183 195.117.88.7 212.160.95.1 212.244.241.81 195.205.208.33 212.106.133.133 195.116.72.5 213.25.175.3 195.117.99.98 213.25.111.2 When connected, the worm tries to send an email through these servers.

Technical DetailsWhen activated, the worm is copied as SYSRNJ.EXE in C:\\Windows\ directory and creates or modifies the following registry entry:
HKEY_CLASSES_ROOT\rnjfile\DefaultIcon= %1\shell\open\command = sysrnj.exe "%1" %*
Then it changes the following registry entries:
HKEY_CLASSES_ROOT
\.exe = rnjfile \.jpg = rnjfile \.jpeg = rnjfile \.jpe = rnjfile \.bmp = rnjfile \.gif = rnjfile \.avi = rnjfile \.mpg = rnjfile \.mpeg = rnjfile \.wmf = rnjfile \.wma = rnjfile \.wmv = rnjfile \.mp3 = rnjfile \.mp2 = rnjfile \.vqf = rnjfile \.doc = rnjfile \.xls = rnjfile \.zip = rnjfile \.rar = rnjfile \.lha = rnjfile \.arj = rnjfile \.reg = rnjfile

So, every time one of these files is opened, the worm is activated. The worm checks which file is opened, while copying itself. If this is a REGEDIT or REG file, the worm tries to stop the system. But if it an EXE file, the worm executes its payload. In any other case, is creates a \Recycled\ directory, renames the startfiles arbitrarily and places them in the directory. Moreover, it copies itself with the same name and .exe extension in \Recycled\.
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.