I-Worm.Blebla.b [KAV], W32/BleBla.b@MM [McAfee], WORM_BLEBLA.B [Trend], W32/Verona-B [Sophos], Win32.Verona.B [CA]
Sent by email, spreads on servers.
The email sent by the worm looks like below:
where is my juliet ?
where is my romeo ?
last wish ???
Caution: NEW VIRUS !
IWorm.BleBla.3 uses its own SMTP engine. It tries to spread through various mailservers, using the following IP addresses: 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 When connected, the worm tries to send an email through these servers.
When activated, the worm is copied as SYSRNJ.EXE in C:\\Windows\ directory and creates or modifies the following registry entry:
HKEY_CLASSES_ROOT\rnjfile\DefaultIcon= %1\shell\open\command = sysrnj.exe "%1" %*
Then it changes the following registry entries:
\.exe = rnjfile \.jpg = rnjfile \.jpeg = rnjfile \.jpe = rnjfile \.bmp = rnjfile \.gif = rnjfile \.avi = rnjfile \.mpg = rnjfile \.mpeg = rnjfile \.wmf = rnjfile \.wma = rnjfile \.wmv = rnjfile \.mp3 = rnjfile \.mp2 = rnjfile \.vqf = rnjfile \.doc = rnjfile \.xls = rnjfile \.zip = rnjfile \.rar = rnjfile \.lha = rnjfile \.arj = rnjfile \.reg = rnjfile
So, every time one of these files is opened, the worm is activated. The worm checks which file is opened, while copying itself. If this is a REGEDIT or REG file, the worm tries to stop the system. But if it an EXE file, the worm executes its payload. In any other case, is creates a \Recycled\ directory, renames the startfiles arbitrarily and places them in the directory. Moreover, it copies itself with the same name and .exe extension in \Recycled\.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二