FRISK Software International


Summary of W32/BleBla.B@mm
Alias:Romeo-and-Juliet, Romeo, Juliet, Verona, IWorm_Blebla, I-Worm.Blebla
Discovered: 16 Nov 2000
Infection Method:Infected e-mail and newsgroup attachments
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
This worm was initially discovered in the wild in Poland in middle of November 2000. It spreads via infected e-mail attachments named MyJuliet.CHM and MyRomeo.EXE.

The b variant was first found in the wild in December 2000.


Technical Description
The worm sends itself in an e-mail message with the Subject line randomly generated, empty or with a line selected from the following list:

 Romeo&Juliet
 where is my juliet ?
 where is my romeo ?
 hi
 last wish ???
 lol :)
 ,,...'
 !!!
 newborn
 merry christmas!
 surprise !
 Caution: NEW VIRUS !
 scandal !
 ^_^
 Re:
It also sends a copy of itself to the alt.comp.virus newsgroup, a well known newsgroup dedicated to the subject of computer viruses. When sent to the alt.comp.virus newsgroup the message looks like this:

 From: "Romeo&Juliet"
 
 Subject:[Romeo&Juliet] R.i.P.
When an infected attachment runs, BleBla.B copies itself to a \Windows\ folder under the filename SYSRNJ.EXE. After copying itself to this folder the worm modifies registry keys in order to activate this copy:

 HKEY_CLASSES_ROOT\rnjfile
     \DefaultIcon        = %1
     \shell\open\command = sysrnj.exe "%1" %*
This causes the worm to execute when 'rnjfile' is referred to. Then the W32/BleBla.B@mm modifies the following keys in order for it to run when files with the extensions mention are executed. These are the keys:

 HKEY_CLASSES_ROOT
      \.exe  = rnjfile
      \.jpg  = rnjfile
      \.jpeg = rnjfile
      \.jpe  = rnjfile
      \.bmp  = rnjfile
      \.gif  = rnjfile
      \.avi  = rnjfile
      \.mpg  = rnjfile
      \.mpeg = rnjfile
      \.wmf  = rnjfile
      \.wma  = rnjfile
      \.wmv  = rnjfile
      \.mp3  = rnjfile
      \.mp2  = rnjfile
      \.vqf  = rnjfile
      \.doc  = rnjfile
      \.xls  = rnjfile
      \.zip  = rnjfile
      \.rar  = rnjfile
      \.lha  = rnjfile
      \.arj  = rnjfile
      \.reg  = rnjfile
In addition the worm keeps track off what file extension was launched before the copy was activated and handles them differently. If the file was REGEDIT.EXE or a file with the .REG extension the worm attempts to stop the system. If on the other hand the file is an .EXE file, the worm allows its execution to continue. If a file with any other extension on the list is launched the worm creates a \Recycled\ folder if not already present, and moves the file that was about to be launched to that folder, renaming it with a random name, adding an .EXE extension and then copyies itself under that name.


Removal Instructions
  1. Delete the file called SYSRNJ.EXE and replace it with another .EXE file, by copying it under the SYSRNJ.EXE name. Do not restart you system before the file has been replaced or you will not be able to launch many types of files, including .EXE files.
  2. Launch the registy editor, REGEDIT.EXE to manually correct the registry keys W32/BleBla.B@mm has changed. The keys are under the HKEY_CLASSE_ROOT folder and should be like this:
    
         \.exe  = "exefile"
          \.jpg  = "jpegfile"
          \.jpeg = "jpegfile"
          \.jpe  = "jpegfile"
          \.bmp  = "Paint.Picture"
          \.gif  = "giffile"
          \.avi  = "avifile"
          \.mpg  = "mpegfile"
          \.mpeg = "mpegfile"
          \.wmf  = ""
          \.wma  = "WMAFile"
          \.wmv  = "WMVFile"
          \.mp3  = "Winamp.File"
          \.mp2  = "Winamp.File"
          \.vqf  = ""
          \.doc  = "Wordpad.Document.1"
          \.xls  = ""
          \.zip  = "WinZip"
          \.rar  = "WinZip"
          \.lha  = "WinZip"
          \.arj  = "WinZip"
          \.reg  = "regfile"
    
    After changing these registry keys, delete the following key:
    
     HKEY_CLASSES_ROOT\rnjfile
    
    that is used by the worm for execution.

    Please note that some users might need to change their file associations from this list, depending on their system's setup.

 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is