To all,
This is a potentially nasty one in that it will open
in the preview pane of Outlook.
Jim
NAME: BleBla
ALIAS: Romeo-and-Juliet, Romeo, Juliet, Verona,
IWorm_Blebla, I-Worm.Blebla
BleBla is a worm spreading via Internet. It was
discovered in Poland on November 16th, 2000. The worm
appears as an email message that has HTML formal and 2
attached files: MyJuliet.CHM and MyRomeo.EXE.
When an infected message is opened, the HTML part of
it is executed. That part contains a script program
that is automatically activated by Windows. The script
program loads and activates the CHM component of the
message (the MyJuliet.CHM file). The CHM component is
Compressed HTML page and it is processed as HTML Help
file. It contains one more script in it. This script
executes the MyRomeo.EXE file, that is the main BleBla
worm file.
To prevent scripts from executing attachments, the
special patch from Microsoft should be installed:
To get its components and save them to disk (to
activate them) the worm uses special tricks that allow
to access message components (including attached
files) by ID. The worm describes its attached files in
message header as having special IDs, and then
accesses them by these IDs.
So, the worm activates itself automatically when an
infected message is being opened or previewed. To
activate itself the worm uses a vulnerability in
Windows scripting security: the worm CHM component is
able to run EXE program by a scripting object that is
listed in "safe for scripting", so no warning messages
are displayed when the worm runs its components (with
default Windows settings).
The main worm component (MyRomeo.EXE file) is Windows
PE executable file about 30Kb long. This file is
compressed by UPX compression utility. Being unpacked
it appears to be a 70Kb EXE file written in Delphi,
the "pure" code in the file occupies just about 6Kb.
When it is run, it opens Windows Address Book, reads
Email addresses from there and sends its HTML message
with attached CHM and EXE files to there. To send
infected messages the worm connects to one of six SMTP
servers located in Poland. The message has the Subject
that is randomly selected from the list:
Romeo&Juliet
)))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer
The worm has a bug and doens't work correctly under
some Windows98/NT English editions. The worm also is
able to spread only in case Windows is installed to
C:\WINDOWS directory (that is hardcoded in worm code).
[Analysis: Eugene Kaspersky, KL; November 2000]
This is a potentially nasty one in that it will open
in the preview pane of Outlook.
Jim
NAME: BleBla
ALIAS: Romeo-and-Juliet, Romeo, Juliet, Verona,
IWorm_Blebla, I-Worm.Blebla
BleBla is a worm spreading via Internet. It was
discovered in Poland on November 16th, 2000. The worm
appears as an email message that has HTML formal and 2
attached files: MyJuliet.CHM and MyRomeo.EXE.
When an infected message is opened, the HTML part of
it is executed. That part contains a script program
that is automatically activated by Windows. The script
program loads and activates the CHM component of the
message (the MyJuliet.CHM file). The CHM component is
Compressed HTML page and it is processed as HTML Help
file. It contains one more script in it. This script
executes the MyRomeo.EXE file, that is the main BleBla
worm file.
To prevent scripts from executing attachments, the
special patch from Microsoft should be installed:
To get its components and save them to disk (to
activate them) the worm uses special tricks that allow
to access message components (including attached
files) by ID. The worm describes its attached files in
message header as having special IDs, and then
accesses them by these IDs.
So, the worm activates itself automatically when an
infected message is being opened or previewed. To
activate itself the worm uses a vulnerability in
Windows scripting security: the worm CHM component is
able to run EXE program by a scripting object that is
listed in "safe for scripting", so no warning messages
are displayed when the worm runs its components (with
default Windows settings).
The main worm component (MyRomeo.EXE file) is Windows
PE executable file about 30Kb long. This file is
compressed by UPX compression utility. Being unpacked
it appears to be a 70Kb EXE file written in Delphi,
the "pure" code in the file occupies just about 6Kb.
When it is run, it opens Windows Address Book, reads
Email addresses from there and sends its HTML message
with attached CHM and EXE files to there. To send
infected messages the worm connects to one of six SMTP
servers located in Poland. The message has the Subject
that is randomly selected from the list:
Romeo&Juliet
)))))hello world
!!??!?!?
subject
ble bla, bee
I Love You
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer
The worm has a bug and doens't work correctly under
some Windows98/NT English editions. The worm also is
able to spread only in case Windows is installed to
C:\WINDOWS directory (that is hardcoded in worm code).
[Analysis: Eugene Kaspersky, KL; November 2000]
