Blitzdung

Threat description

Details

CATEGORYMalware
TYPEWorm

Summary

Blitzdung is a mass mailing worm that tries to send itself to all users found from Yahoo! Messenger log file and attempts to send itself on any IRC channel that the user visits. In addition to spreading itself the worm copies itself to windows root directory, tries to drop Elkern.C virus and Y3KRat backdoor and on certain dates tries to overwrite windows system files.

Blitzdung is considered to be a low threat as it relies on existence of Yahoo! messenger and older version of WinZip utilities so the worm is not capable of spreading from most systems.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The Blitzdung is written with Java and is compiled into Win32 exe with a converter tool. The size of the Java class data that is in the worm main executable is around 11 kilobytes. In addition of the main executable the Blitzdung is dependant of several Java and windows library files.

Email spreading

Blitzdung sends emails using Java Mail framework, and the setup32.zip contains mail.jar and activation.jar needed for using Java mail capabilities.

Email addresses are collected from ypager.log file of Yahoo! messenger:

The email has subject line "tm net support recomended by [USER]" where [USER] is address read from read from the ypager.log

Email body:

you have been recomended by your friend [USER]@yahoo.com
 to recieve or free network software which is developed by
 tmnet malaysia due to our sloly connection which is because
 we are upgrading our network to speed up your conection in
 LAN/WAN by 30% to do so kindly download the zip file and
 run the online installer to install the software for more
 info visite our web www.tm.net.my
 NOTE you need to download and install microsoft VM befor
 running the application. you download it from the windows
 update section on
www.microsoft.com or from this given link
 http://www.hongkongjockeyclub.com/english/betting/MVMdownload.htm

Infected attachment:

'Setup32.zip'
mIRC Spreading

Blitzdung copies mIRC script file script.ini into windows root directory. The script file activates always when a new user joins into a channel where the infected host has joined.

The script sends following message to a recently joined user:

[USER]please accept the file patch.zip it has a patch that is
 used to kill the new mirc virus named BLITZKRIEG.A so please accept
 it and and install it please take note that this file will be sent
 to you only if you have the virus in your pc for more information
 go to www.mirc.com

Then the script sends following message to the user on the infected computer:

please send the file that is being sent now to the user [USER] coz this
 is a patch that is used to kill a new mirc virus and this file will be send
 to every user who has the virus named BLITZKRIEG.A for more information
 about the virus go to www.mirc.com please save the mirc from shutting down

After messages the script tries to DCC send the worm in file 'patch.zip' to the recently joined user.

System infection

Blitzdung tries to copy files to the windows root directory, on most systems it manages to copy following files:

aws32.exe (worm main file, renamed install.exe)
 script.ini (renamed sr.dat)
 jreg.dll

On some systems the worm may copy following files:

setup32.zip
 dat.set
 sin.exe (Elkern.C, renamed su32.dll)
 mail.jar
 activation.jar
 aws32.bat

The worm also tries to download following file from the geocities web site

no.exe that contains Backdoor Y3KRat

The worm also makes following programs to run by setting following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32 sin.exe
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32 aws32.bat
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq no.exe
Payload

If the day of the month is 24 the worm tries to overwrite following files:

shell32.dll
 advapi32.dll
 advpack.dll
 afvxd.vxd
 amstream.dll
 appwiz.dll
 asfsipc.all
 asycfilt.dll
 avifil32.dll
 avifil.dll
 awcodc32.dll
 atl.dll
 bindfile.dll
 bios.vxd
 cabinet.dll
 cool.dll
 cryptext.dll
 cryptnet.dll
 desk.cpl
 desktop.ini
 dmstyle.dll
 dmloader.dll
 dmsynth.dll
 WMSDrmStor.dll
 ENABLE3.dll
 ES.DLL
 EXPSRV.DLL
 ExSec32.dll
 ICM32.dll
 icmp.dll
 KERNEL32.dll
 KEYBOARD.drv
Removal

F-Secure Anti-Virus with the latest updates can detect the Blitzdung and Elekern.C and remove the worm specific files that the Blitzdung has copied to windows root.

Please remove also following files from windows root (c:\windows or c:\winnt)

jreg.dll
 setup32.zip
 dat.set
 mail.jar
 activation.jar
 aws32.bat

Please remove following keys from Windows registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq
Detection

Detection in F-Secure Anti-Virus was published on February 3th, 2003 in update:

Detection Type: PC

Database: 2003-12-03

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info