Blitzdung is a mass mailing worm that tries to send itself to all users found from Yahoo! Messenger log file and attempts to send itself on any IRC channel that the user visits. In addition to spreading itself the worm copies itself to windows root directory, tries to drop Elkern.C virus and Y3KRat backdoor and on certain dates tries to overwrite windows system files.
Blitzdung is considered to be a low threat as it relies on existence of Yahoo! messenger and older version of WinZip utilities so the worm is not capable of spreading from most systems.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The Blitzdung is written with Java and is compiled into Win32 exe with a converter tool. The size of the Java class data that is in the worm main executable is around 11 kilobytes. In addition of the main executable the Blitzdung is dependant of several Java and windows library files.
Blitzdung sends emails using Java Mail framework, and the setup32.zip contains mail.jar and activation.jar needed for using Java mail capabilities.
Email addresses are collected from ypager.log file of Yahoo! messenger:
The email has subject line "tm net support recomended by [USER]" where [USER] is address read from read from the ypager.log
Email body:
you have been recomended by your friend [USER]@yahoo.com to recieve or free network software which is developed by tmnet malaysia due to our sloly connection which is because we are upgrading our network to speed up your conection in LAN/WAN by 30% to do so kindly download the zip file and run the online installer to install the software for more info visite our web www.tm.net.my NOTE you need to download and install microsoft VM befor running the application. you download it from the windows update section on www.microsoft.com or from this given link http://www.hongkongjockeyclub.com/english/betting/MVMdownload.htm
Infected attachment:
'Setup32.zip'
Blitzdung copies mIRC script file script.ini into windows root directory. The script file activates always when a new user joins into a channel where the infected host has joined.
The script sends following message to a recently joined user:
[USER]please accept the file patch.zip it has a patch that is used to kill the new mirc virus named BLITZKRIEG.A so please accept it and and install it please take note that this file will be sent to you only if you have the virus in your pc for more information go to www.mirc.com
Then the script sends following message to the user on the infected computer:
please send the file that is being sent now to the user [USER] coz this is a patch that is used to kill a new mirc virus and this file will be send to every user who has the virus named BLITZKRIEG.A for more information about the virus go to www.mirc.com please save the mirc from shutting down
After messages the script tries to DCC send the worm in file 'patch.zip' to the recently joined user.
Blitzdung tries to copy files to the windows root directory, on most systems it manages to copy following files:
aws32.exe (worm main file, renamed install.exe) script.ini (renamed sr.dat) jreg.dll
On some systems the worm may copy following files:
setup32.zip dat.set sin.exe (Elkern.C, renamed su32.dll) mail.jar activation.jar aws32.bat
The worm also tries to download following file from the geocities web site
no.exe that contains Backdoor Y3KRat
The worm also makes following programs to run by setting following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32 sin.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32 aws32.bat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq no.exe
If the day of the month is 24 the worm tries to overwrite following files:
shell32.dll advapi32.dll advpack.dll afvxd.vxd amstream.dll appwiz.dll asfsipc.all asycfilt.dll avifil32.dll avifil.dll awcodc32.dll atl.dll bindfile.dll bios.vxd cabinet.dll cool.dll cryptext.dll cryptnet.dll desk.cpl desktop.ini dmstyle.dll dmloader.dll dmsynth.dll WMSDrmStor.dll ENABLE3.dll ES.DLL EXPSRV.DLL ExSec32.dll ICM32.dll icmp.dll KERNEL32.dll KEYBOARD.drv
F-Secure Anti-Virus with the latest updates can detect the Blitzdung and Elekern.C and remove the worm specific files that the Blitzdung has copied to windows root.
Please remove also following files from windows root (c:\windows or c:\winnt)
jreg.dll setup32.zip dat.set mail.jar activation.jar aws32.bat
Please remove following keys from Windows registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq