Summary
Blitzdung is a mass mailing worm that tries to send itself to all users found from Yahoo! Messenger log file and attempts to send itself on any IRC channel that the user visits. In addition to spreading itself the worm copies itself to windows root directory, tries to drop Elkern.C virus and Y3KRat backdoor and on certain dates tries to overwrite windows system files.
Blitzdung is considered to be a low threat as it relies on existence of Yahoo! messenger and older version of WinZip utilities so the worm is not capable of spreading from most systems.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
The Blitzdung is written with Java and is compiled into Win32 exe with a converter tool. The size of the Java class data that is in the worm main executable is around 11 kilobytes. In addition of the main executable the Blitzdung is dependant of several Java and windows library files.
Email spreading
Blitzdung sends emails using Java Mail framework, and the setup32.zip contains mail.jar and activation.jar needed for using Java mail capabilities.
Email addresses are collected from ypager.log file of Yahoo! messenger:
The email has subject line "tm net support recomended by [USER]" where [USER] is address read from read from the ypager.log
Email body:
you have been recomended by your friend [USER]@yahoo.com to recieve or free network software which is developed by tmnet malaysia due to our sloly connection which is because we are upgrading our network to speed up your conection in LAN/WAN by 30% to do so kindly download the zip file and run the online installer to install the software for more info visite our web www.tm.net.my NOTE you need to download and install microsoft VM befor running the application. you download it from the windows update section on www.microsoft.com or from this given link http://www.hongkongjockeyclub.com/english/betting/MVMdownload.htm
Infected attachment:
'Setup32.zip'
mIRC Spreading
Blitzdung copies mIRC script file script.ini into windows root directory. The script file activates always when a new user joins into a channel where the infected host has joined.
The script sends following message to a recently joined user:
[USER]please accept the file patch.zip it has a patch that is used to kill the new mirc virus named BLITZKRIEG.A so please accept it and and install it please take note that this file will be sent to you only if you have the virus in your pc for more information go to www.mirc.com
Then the script sends following message to the user on the infected computer:
please send the file that is being sent now to the user [USER] coz this is a patch that is used to kill a new mirc virus and this file will be send to every user who has the virus named BLITZKRIEG.A for more information about the virus go to www.mirc.com please save the mirc from shutting down
After messages the script tries to DCC send the worm in file 'patch.zip' to the recently joined user.
System infection
Blitzdung tries to copy files to the windows root directory, on most systems it manages to copy following files:
aws32.exe (worm main file, renamed install.exe) script.ini (renamed sr.dat) jreg.dll
On some systems the worm may copy following files:
setup32.zip dat.set sin.exe (Elkern.C, renamed su32.dll) mail.jar activation.jar aws32.bat
The worm also tries to download following file from the geocities web site
no.exe that contains Backdoor Y3KRat
The worm also makes following programs to run by setting following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32 sin.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32 aws32.bat HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq no.exe
Payload
If the day of the month is 24 the worm tries to overwrite following files:
shell32.dll advapi32.dll advpack.dll afvxd.vxd amstream.dll appwiz.dll asfsipc.all asycfilt.dll avifil32.dll avifil.dll awcodc32.dll atl.dll bindfile.dll bios.vxd cabinet.dll cool.dll cryptext.dll cryptnet.dll desk.cpl desktop.ini dmstyle.dll dmloader.dll dmsynth.dll WMSDrmStor.dll ENABLE3.dll ES.DLL EXPSRV.DLL ExSec32.dll ICM32.dll icmp.dll KERNEL32.dll KEYBOARD.drv
Removal
F-Secure Anti-Virus with the latest updates can detect the Blitzdung and Elekern.C and remove the worm specific files that the Blitzdung has copied to windows root.
Please remove also following files from windows root (c:\windows or c:\winnt)
jreg.dll setup32.zip dat.set mail.jar activation.jar aws32.bat
Please remove following keys from Windows registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.