The Blitzdung is written with Java and is compiled into Win32 exe with a converter tool. The size of the Java class data that is in the worm main executable is around 11 kilobytes. In addition of the main executable the Blitzdung is dependant of several Java and windows library files.
Blitzdung sends emails using Java Mail framework, and the setup32.zip contains mail.jar and activation.jar needed for using Java mail capabilities.
Email addresses are collected from ypager.log file of Yahoo! messenger:
The email has subject line "tm net support recomended by [USER]" where [USER] is address read from read from the ypager.log
you have been recomended by your friend [USER]@yahoo.com
to recieve or free network software which is developed by
tmnet malaysia due to our sloly connection which is because
we are upgrading our network to speed up your conection in
LAN/WAN by 30% to do so kindly download the zip file and
run the online installer to install the software for more
info visite our web www.tm.net.my
NOTE you need to download and install microsoft VM befor
running the application. you download it from the windows
update section on
www.microsoft.com or from this given link
Blitzdung copies mIRC script file script.ini into windows root directory. The script file activates always when a new user joins into a channel where the infected host has joined.
The script sends following message to a recently joined user:
[USER]please accept the file patch.zip it has a patch that is
used to kill the new mirc virus named BLITZKRIEG.A so please accept
it and and install it please take note that this file will be sent
to you only if you have the virus in your pc for more information
go to www.mirc.com
Then the script sends following message to the user on the infected computer:
please send the file that is being sent now to the user [USER] coz this
is a patch that is used to kill a new mirc virus and this file will be send
to every user who has the virus named BLITZKRIEG.A for more information
about the virus go to www.mirc.com please save the mirc from shutting down
After messages the script tries to DCC send the worm in file 'patch.zip' to the recently joined user.
Blitzdung tries to copy files to the windows root directory, on most systems it manages to copy following files:
aws32.exe (worm main file, renamed install.exe)
script.ini (renamed sr.dat)
On some systems the worm may copy following files:
sin.exe (Elkern.C, renamed su32.dll)
The worm also tries to download following file from the geocities web site
no.exe that contains Backdoor Y3KRat
The worm also makes following programs to run by setting following registry keys:
If the day of the month is 24 the worm tries to overwrite following files:
F-Secure Anti-Virus with the latest updates can detect the Blitzdung and Elekern.C and remove the worm specific files that the Blitzdung has copied to windows root.
Please remove also following files from windows root (c:\windows or c:\winnt)
Please remove following keys from Windows registry