W32/Blebla.A
Analysis
- Virus is a combination-exploit implementing both
an Iframe and cache-bypass exploit in order to execute
without user intervention
- Virus is two files, ROMEO.EXE and JULIET.CHM -
both are encoded within an HTML format email message,
which is created by the virus
- ROMEO.EXE is 32bit, with a size of 29,184 bytes
and is UPX compressed.
JULIET.CHM is a compiled HTML file, with a size of 6,406 bytes.
- Due to the nature of the HTML coding, when an infectious
email is received and the user either previews or
opens it in Outlook, the two files will be saved to
the Windows\Temp folder and then executed directly
- Virus will read contact names from the Windows address book and send emails in HTML format with the two files attached