The Blitzdung is written with Java and is compiled into Win32 exe with a converter tool. The size of the Java class data that is in the worm main executable is around 11 kilobytes. In addition of the main executable the Blitzdung is dependant of several Java and windows library files.
Email spreading
Blitzdung sends emails using Java Mail framework, and the setup32.zip contains mail.jar and activation.jar needed for using Java mail capabilities.
Email addresses are collected from ypager.log file of Yahoo! messenger:
The email has subject line "tm net support recomended by [USER]" where [USER] is address read from read from the ypager.log
Email body:
you have been recomended by your friend [USER]@yahoo.com
to recieve or free network software which is developed by
tmnet malaysia due to our sloly connection which is because
we are upgrading our network to speed up your conection in
LAN/WAN by 30% to do so kindly download the zip file and
run the online installer to install the software for more
info visite our web www.tm.net.my
NOTE you need to download and install microsoft VM befor
running the application. you download it from the windows
update section on www.microsoft.com or from this given link
http://www.hongkongjockeyclub.com/english/betting/MVMdownload.htm
Infected attachment:
'Setup32.zip'
mIRC Spreading
Blitzdung copies mIRC script file script.ini into windows root directory. The script file activates always when a new user joins into a channel where the infected host has joined.
The script sends following message to a recently joined user:
[USER]please accept the file patch.zip it has a patch that is
used to kill the new mirc virus named BLITZKRIEG.A so please accept
it and and install it please take note that this file will be sent
to you only if you have the virus in your pc for more information
go to www.mirc.com
Then the script sends following message to the user on the infected computer:
please send the file that is being sent now to the user [USER] coz this
is a patch that is used to kill a new mirc virus and this file will be send
to every user who has the virus named BLITZKRIEG.A for more information
about the virus go to www.mirc.com please save the mirc from shutting down
After messages the script tries to DCC send the worm in file 'patch.zip' to the recently joined user.
System infection
Blitzdung tries to copy files to the windows root directory, on most systems it manages to copy following files:
aws32.exe (worm main file)
script.ini
jreg.dll
On some systems the worm may copy following files:
setup32.zip
dat.set
sin.exe (Elkern.C)
mail.jar
activation.jar
aws32.bat
The worm also tries to download following file from the geocities web site
no.exe
The worm also makes following programs to run by setting following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32 sin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32 aws32.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq no.exe
Payload
If the day of the month is 24 the worm tries to overwrite following files:
shell32.dll
advapi32.dll
advpack.dll
afvxd.vxd
amstream.dll
appwiz.dll
asfsipc.all
asycfilt.dll
avifil32.dll
avifil.dll
awcodc32.dll
atl.dll
bindfile.dll
bios.vxd
cabinet.dll
cool.dll
cryptext.dll
cryptnet.dll
desk.cpl
desktop.ini
dmstyle.dll
dmloader.dll
dmsynth.dll
WMSDrmStor.dll
ENABLE3.dll
ES.DLL
EXPSRV.DLL
ExSec32.dll
ICM32.dll
icmp.dll
KERNEL32.dll
KEYBOARD.drv
| 