需要修復電腦?
聘請專家
Alias:I-Worm.Blebla.b [KAV], W32/BleBla.b@MM [McAfee], WORM_BLEBLA.B [Trend], W32/Verona-B [Sophos], Win32.Verona.B [CA]
Type:Worm 
Size: 
Origin: 
Date:00-00-0000 
Damage:Sent by email, spreads on servers. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionThe email sent by the worm looks like below:

Subject:
Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^
Re:

Attachment:
Xromeo.exe
Xjuliet.chm

IWorm.BleBla.3 uses its own SMTP engine. It tries to spread through various mailservers, using the following IP addresses: 195.117.117.6 212.244.197.164 195.205.96.185 195.116.104.14 195.117.3.111 195.116.221.65 212.244.67.20 194.181.138.141 195.205.121.183 195.117.88.7 212.160.95.1 212.244.241.81 195.205.208.33 212.106.133.133 195.116.72.5 213.25.175.3 195.117.99.98 213.25.111.2 When connected, the worm tries to send an email through these servers.

Technical DetailsWhen activated, the worm is copied as SYSRNJ.EXE in C:\\Windows\ directory and creates or modifies the following registry entry:
HKEY_CLASSES_ROOT\rnjfile\DefaultIcon= %1\shell\open\command = sysrnj.exe "%1" %*
Then it changes the following registry entries:
HKEY_CLASSES_ROOT
\.exe = rnjfile \.jpg = rnjfile \.jpeg = rnjfile \.jpe = rnjfile \.bmp = rnjfile \.gif = rnjfile \.avi = rnjfile \.mpg = rnjfile \.mpeg = rnjfile \.wmf = rnjfile \.wma = rnjfile \.wmv = rnjfile \.mp3 = rnjfile \.mp2 = rnjfile \.vqf = rnjfile \.doc = rnjfile \.xls = rnjfile \.zip = rnjfile \.rar = rnjfile \.lha = rnjfile \.arj = rnjfile \.reg = rnjfile

So, every time one of these files is opened, the worm is activated. The worm checks which file is opened, while copying itself. If this is a REGEDIT or REG file, the worm tries to stop the system. But if it an EXE file, the worm executes its payload. In any other case, is creates a \Recycled\ directory, renames the startfiles arbitrarily and places them in the directory. Moreover, it copies itself with the same name and .exe extension in \Recycled\.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二

返回 . . . .
https:// 為了你的安全,此視窗已加密。