|ALIAS:||Romeo-and-Juliet, Romeo, Juliet|
|ALIAS:||Verona, IWorm_Blebla, I-Worm.Blebla|
BleBla is a worm spreading via Internet. It was discovered in Poland on November 16th, 2000. The worm appears as an email message that has HTML formal and 2 attached files: MyJuliet.CHM and MyRomeo.EXE.
When an infected message is opened, the HTML part of it is executed. That part contains a script program that is automatically activated by Windows. The script program loads and activates the CHM component of the message (the MyJuliet.CHM file). The CHM component is Compressed HTML page and it is processed as HTML Help file. It contains one more script in it. This script executes the MyRomeo.EXE file, that is the main BleBla worm file.
To prevent scripts from executing attachments, the special patches from Microsoft should be installed:
To get its components and save them to disk (to activate them) the worm uses special tricks that allow to access message components (including attached files) by ID. The worm describes its attached files in message header as having special IDs, and then accesses them by these IDs.
So, the worm activates itself automatically when an infected message is being opened or previewed. To activate itself the worm uses a vulnerability in Windows scripting security: the worm CHM component is able to run EXE program by a scripting object that is listed in "safe for scripting", so no warning messages are displayed when the worm runs its components (with default Windows settings).
The main worm component (MyRomeo.EXE file) is Windows PE executable file about 30Kb long. This file is compressed by UPX compression utility. Being unpacked it appears to be a 70Kb EXE file written in Delphi, the "pure" code in the file occupies just about 6Kb.
When it is run, it opens Windows Address Book, reads Email addresses from there and sends its HTML message with attached CHM and EXE files to there. To send infected messages the worm connects to one of six SMTP servers located in Poland. The message has the Subject that is randomly selected from the list:
Romeo&Juliet :)))))) hello world !!??!?!? subject ble bla, bee I Love You ;) sorry... Hey you ! Matrix has you... my picture from shake-beer
The worm has a bug and doens't work correctly under some Windows98/NT English editions. The worm also is able to spread only in case Windows is installed to C:\WINDOWS directory (that is hardcoded in worm code).
The BleBla.b is a remake of the original worm. When run it copies itself to \Windows\ folder as SYSRNJ.EXE and creates and modifies many Registry keys to activate this copy:
HKEY_CLASSES_ROOT\rnjfile \DefaultIcon = %1 \shell\open\command = sysrnj.exe "%1" %*
The above mentioned key caused worm copy run when "rnjfile" is referred. Then the worm modifies the following keys:
HKEY_CLASSES_ROOT \.exe = rnjfile \.jpg = rnjfile \.jpeg = rnjfile \.jpe = rnjfile \.bmp = rnjfile \.gif = rnjfile \.avi = rnjfile \.mpg = rnjfile \.mpeg = rnjfile \.wmf = rnjfile \.wma = rnjfile \.wmv = rnjfile \.mp3 = rnjfile \.mp2 = rnjfile \.vqf = rnjfile \.doc = rnjfile \.xls = rnjfile \.zip = rnjfile \.rar = rnjfile \.lha = rnjfile \.arj = rnjfile \.reg = rnjfile
The above keys cause worm's copy start when any of files listed above are opened. The worm also checks checks what file was launched before its copy was activated. It it was 'REGEDIT' (Registry Editor) or REG file, it tries to halt a system. In case of EXE file its execution continues. In all other cases the worm creates a \Recycled\ folder (if not present yet) renames the file-to-be-launched with random name to that folder (checks for duplicate files before that operation) and copies itself with the name of that file after adding .EXE extension to it.
The worm sends itself to alt.comp.virus newsgroups with messages:
From: "Romeo&Juliet" <email@example.com> Subject:[Romeo&Juliet] R.i.P.
While sending its copies to personal address the worm uses empty Subject, random generated Subject, or the one from the below given list:
Romeo&Juliet where is my juliet ? where is my romeo ? hi last wish ??? lol :) ,,...' !!! newborn merry christmas! surprise ! Caution: NEW VIRUS ! scandal ! ^_^ Re:
Depending on some conditions the worm also creates directories with random names in \Recycled\ folder and then creates files with random names there.
Manual disinfection of BleBla.b variant requires the following steps:
First, make sure that a worm's file SYSRNJ.EXE is deleted (from DOS) and replaced with any other EXE program, REGEDIT.EXE for example (copy REGEDIT.EXE as SYSRNJ.EXE in \Windows\ folder). Don't restart your system before the SYSNRJ file contents are replaced with REGEDIT's ones or you will not be able to open many files including EXE ones.
Then open the Registry Editor (REGEDIT.EXE) and manually correct the following entries (default values are given). Replace "rnjfile" in Default value with the value given below. If Registry Editor is not starting, open DOS session, copy REGEDIT.EXE as REGEDIT.COM and start the COM file to open Registry Editor.
Note that the problem is that the below values depend on different software installed on a particular system, for example if ACDSEE picture viewer is installed, it associates images with itself (\.jpg = "ACDC_JPEG"). So it is impossible to restore the associations to their old values on a particulat system. You have to use defaults.
HKEY_CLASSES_ROOT \.exe = "exefile" \.jpg = "jpegfile" \.jpeg = "jpegfile" \.jpe = "jpegfile" \.bmp = "Paint.Picture" \.gif = "giffile" \.avi = "avifile" \.mpg = "mpegfile" \.mpeg = "mpegfile" \.wmf = "" \.wma = "WMAFile" \.wmv = "WMVFile" \.mp3 = "Winamp.File" \.mp2 = "Winamp.File" \.vqf = "" \.doc = "Wordpad.Document.1" \.xls = "" \.zip = "WinZip" \.rar = "WinZip" \.lha = "WinZip" \.arj = "WinZip" \.reg = "regfile"
Then delete the following key used by the worm:
The XLS association is not restored (leave empty) because it depends on a specific MS Office version installed. The MP2 and MP3 association is restored assuming that there's a WinAmp MP3 player in a system. ZIP, RAR, LHA and ARJ associations are restored assuming that there's a WinZip installed. The WMF and VQF are left empty.
[Analysis: Kaspersky Labs; F-Secure Corporation; November-December 2000]