Threat Description

Blitzdung

Details

Aliases: Blitzdung, W32/Blitzdung
Category: Malware
Type: Worm
Platform: W32

Summary



Blitzdung is a mass mailing worm that tries to send itself to all users found from Yahoo! Messenger log file and attempts to send itself on any IRC channel that the user visits. In addition to spreading itself the worm copies itself to windows root directory, tries to drop Elkern.C virus and Y3KRat backdoor and on certain dates tries to overwrite windows system files.

Blitzdung is considered to be a low threat as it relies on existence of Yahoo! messenger and older version of WinZip utilities so the worm is not capable of spreading from most systems.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The Blitzdung is written with Java and is compiled into Win32 exe with a converter tool. The size of the Java class data that is in the worm main executable is around 11 kilobytes. In addition of the main executable the Blitzdung is dependant of several Java and windows library files.

Email spreading

Blitzdung sends emails using Java Mail framework, and the setup32.zip contains mail.jar and activation.jar needed for using Java mail capabilities.

Email addresses are collected from ypager.log file of Yahoo! messenger:

The email has subject line "tm net support recomended by [USER]" where [USER] is address read from read from the ypager.log

Email body:

you have been recomended by your friend [USER]@yahoo.com
  to recieve or free network software which is developed by
  tmnet malaysia due to our sloly connection which is because
  we are upgrading our network to speed up your conection in
  LAN/WAN by 30% to do so kindly download the zip file and
  run the online installer to install the software for more
  info visite our web www.tm.net.my
  NOTE you need to download and install microsoft VM befor
  running the application. you download it from the windows
  update section on  www.microsoft.com or from this given link
  http://www.hongkongjockeyclub.com/english/betting/MVMdownload.htm

Infected attachment:

'Setup32.zip'

mIRC Spreading

Blitzdung copies mIRC script file script.ini into windows root directory. The script file activates always when a new user joins into a channel where the infected host has joined.

The script sends following message to a recently joined user:

[USER]please accept the file patch.zip it has a patch that is
  used to kill the new mirc virus named BLITZKRIEG.A so please accept
  it and and install it please take note that this file will be sent
  to you only if you have the virus in your pc for more information
  go to www.mirc.com

Then the script sends following message to the user on the infected computer:

please send the file that is being sent now to the user [USER] coz this
  is a patch that is used to kill a new mirc virus and this file will be send
  to every user who has the virus named BLITZKRIEG.A for more information
  about the virus go to www.mirc.com please save the mirc from shutting down

After messages the script tries to DCC send the worm in file 'patch.zip' to the recently joined user.

System infection

Blitzdung tries to copy files to the windows root directory, on most systems it manages to copy following files:

aws32.exe (worm main file, renamed install.exe)
  script.ini (renamed sr.dat)
  jreg.dll

On some systems the worm may copy following files:

setup32.zip
  dat.set
  sin.exe (Elkern.C, renamed su32.dll)
  mail.jar
  activation.jar
  aws32.bat

The worm also tries to download following file from the geocities web site

no.exe that contains Backdoor Y3KRat

The worm also makes following programs to run by setting following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32 sin.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32 aws32.bat
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq no.exe

Payload

If the day of the month is 24 the worm tries to overwrite following files:

shell32.dll
  advapi32.dll
  advpack.dll
  afvxd.vxd
  amstream.dll
  appwiz.dll
  asfsipc.all
  asycfilt.dll
  avifil32.dll
  avifil.dll
  awcodc32.dll
  atl.dll
  bindfile.dll
  bios.vxd
  cabinet.dll
  cool.dll
  cryptext.dll
  cryptnet.dll
  desk.cpl
  desktop.ini
  dmstyle.dll
  dmloader.dll
  dmsynth.dll
  WMSDrmStor.dll
  ENABLE3.dll
  ES.DLL
  EXPSRV.DLL
  ExSec32.dll
  ICM32.dll
  icmp.dll
  KERNEL32.dll
  KEYBOARD.drv

Removal

F-Secure Anti-Virus with the latest updates can detect the Blitzdung and Elekern.C and remove the worm specific files that the Blitzdung has copied to windows root.

Please remove also following files from windows root (c:\windows or c:\winnt)

jreg.dll
  setup32.zip
  dat.set
  mail.jar
  activation.jar
  aws32.bat

Please remove following keys from Windows registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq



Detection


Detection in F-Secure Anti-Virus was published on February 3th, 2003 in update:
Detection Type: PC
Database: 2003-12-03



Technical Details: Jarno Niemela; F-Secure Corp.; February 3th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More