W32/Blebla.B

description-logoAnalysis

  • Virus is a combination-exploit implementing both an Iframe and cache-bypass exploit in order to execute without user intervention
  • Virus is two files, XROMEO.EXE and XJULIET.CHM - both are encoded within an HTML format email message, which is created by the virus
  • XROMEO.EXE is 32bit, with a size of 34,304 bytes and is UPX compressed.
    XJULIET.CHM is a compiled HTML file with a size of 6,360 bytes.
  • Due to the nature of the HTML coding, when an infectious email is received and the user either previews or opens it in Outlook, the two files will be saved to the Windows\Temp folder, then executed directly.
  • Virus will read contact names from the Windows address book and send emails in HTML format with the two files attached
  • Virus writes itself to the Windows folder as "Sysrnj.exe", then modifies the registry to run the virus if files with the extensions listed in the registry are opened or executed -

    HKEY_CLASSES_ROOT\rnjfile\shell\open\command\
    DEFAULT=sysrnj.exe "undefined1" undefined*

    HKEY_CLASSES_ROOT\rnjfile\
    DefaultIcon=undefined1

    HKEY_CLASSES_ROOT\.exe
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.jpg
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.jpeg
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.jpe
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.bmp
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.gif
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.avi
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.mpg
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.mpeg
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.wmf
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.wma
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.wmv
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.mp3
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.mp2
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.vqf
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.doc
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.xls
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.zip
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.rar
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.lha
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.arj
    DEFAULT=rnjfile

    HKEY_CLASSES_ROOT\.reg
    DEFAULT=rnjfile

  • Virus will attempt to post itself as a message into the newsgroup ALT.COMP.VIRUS with the following properties-

    From: "Romeo&Juliet" <romeo@juliet.v>
    Newsgroups: alt.comp.virus
    Subject:[Romeo&Juliet] R.i.P

Telemetry logoTelemetry