Threat Description

Blitzdung

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Blitzdung, W32/Blitzdung

Summary


Blitzdung is a mass mailing worm that tries to send itself to all users found from Yahoo! Messenger log file and attempts to send itself on any IRC channel that the user visits. In addition to spreading itself the worm copies itself to windows root directory, tries to drop Elkern.C virus and Y3KRat backdoor and on certain dates tries to overwrite windows system files.

Blitzdung is considered to be a low threat as it relies on existence of Yahoo! messenger and older version of WinZip utilities so the worm is not capable of spreading from most systems.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The Blitzdung is written with Java and is compiled into Win32 exe with a converter tool. The size of the Java class data that is in the worm main executable is around 11 kilobytes. In addition of the main executable the Blitzdung is dependant of several Java and windows library files.

Email spreading

Blitzdung sends emails using Java Mail framework, and the setup32.zip contains mail.jar and activation.jar needed for using Java mail capabilities.

Email addresses are collected from ypager.log file of Yahoo! messenger:

The email has subject line "tm net support recomended by [USER]" where [USER] is address read from read from the ypager.log

Email body:

you have been recomended by your friend [USER]@yahoo.com   to recieve or free network software which is developed by   tmnet malaysia due to our sloly connection which is because   we are upgrading our network to speed up your conection in   LAN/WAN by 30% to do so kindly download the zip file and   run the online installer to install the software for more   info visite our web www.tm.net.my   NOTE you need to download and install microsoft VM befor   running the application. you download it from the windows   update section on  www.microsoft.com or from this given link   http://www.hongkongjockeyclub.com/english/betting/MVMdownload.htm  

Infected attachment:

'Setup32.zip'  
mIRC Spreading

Blitzdung copies mIRC script file script.ini into windows root directory. The script file activates always when a new user joins into a channel where the infected host has joined.

The script sends following message to a recently joined user:

[USER]please accept the file patch.zip it has a patch that is   used to kill the new mirc virus named BLITZKRIEG.A so please accept   it and and install it please take note that this file will be sent   to you only if you have the virus in your pc for more information   go to www.mirc.com  

Then the script sends following message to the user on the infected computer:

please send the file that is being sent now to the user [USER] coz this   is a patch that is used to kill a new mirc virus and this file will be send   to every user who has the virus named BLITZKRIEG.A for more information   about the virus go to www.mirc.com please save the mirc from shutting down  

After messages the script tries to DCC send the worm in file 'patch.zip' to the recently joined user.

System infection

Blitzdung tries to copy files to the windows root directory, on most systems it manages to copy following files:

aws32.exe (worm main file, renamed install.exe)   script.ini (renamed sr.dat)   jreg.dll  

On some systems the worm may copy following files:

setup32.zip   dat.set   sin.exe (Elkern.C, renamed su32.dll)   mail.jar   activation.jar   aws32.bat  

The worm also tries to download following file from the geocities web site

no.exe that contains Backdoor Y3KRat  

The worm also makes following programs to run by setting following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32 sin.exe   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32 aws32.bat   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq no.exe  
Payload

If the day of the month is 24 the worm tries to overwrite following files:

shell32.dll   advapi32.dll   advpack.dll   afvxd.vxd   amstream.dll   appwiz.dll   asfsipc.all   asycfilt.dll   avifil32.dll   avifil.dll   awcodc32.dll   atl.dll   bindfile.dll   bios.vxd   cabinet.dll   cool.dll   cryptext.dll   cryptnet.dll   desk.cpl   desktop.ini   dmstyle.dll   dmloader.dll   dmsynth.dll   WMSDrmStor.dll   ENABLE3.dll   ES.DLL   EXPSRV.DLL   ExSec32.dll   ICM32.dll   icmp.dll   KERNEL32.dll   KEYBOARD.drv  
Removal

F-Secure Anti-Virus with the latest updates can detect the Blitzdung and Elekern.C and remove the worm specific files that the Blitzdung has copied to windows root.

Please remove also following files from windows root (c:\windows or c:\winnt)

jreg.dll   setup32.zip   dat.set   mail.jar   activation.jar   aws32.bat  

Please remove following keys from Windows registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\je32   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hi32   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weq  


Detection


Detection in F-Secure Anti-Virus was published on February 3th, 2003 in update:

Detection Type: PC
Database: 2003-12-03



Technical Details:Jarno Niemela; F-Secure Corp.; February 3th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More