Avatar billede hhjensen Nybegynder
23. august 2001 - 21:24 Der er 8 kommentarer og
2 løsninger

troj_blebla.b

Housecall fortæller mig at jeg er ramt at troj_blebla.b
Nogen der kender den?
Avatar billede lala-joker Nybegynder
23. august 2001 - 21:31 #1
jeps fjern den med det samme den er ret farlig !

jeg så noget info om den engang...
men jeg kan ikek huske linket hvis jeg finder det endag skal jeg nok skrive..

ellers. så søg på www.37.com eller www.google.com
om trojanen
Avatar billede NanoQ Nybegynder
23. august 2001 - 21:35 #2
NAME: BleBla
ALIAS: Romeo-and-Juliet, Romeo, Juliet
ALIAS: Verona, IWorm_Blebla, I-Worm.Blebla

BleBla is a worm spreading via Internet. It was discovered in Poland on November 16th, 2000. The worm appears as an email message that has HTML formal and 2 attached files: MyJuliet.CHM and MyRomeo.EXE.

When an infected message is opened, the HTML part of it is executed. That part contains a script program that is automatically activated by Windows. The script program loads and activates the CHM component of the message (the MyJuliet.CHM file). The CHM component is Compressed HTML page and it is processed as HTML Help file. It contains one more script in it. This script executes the MyRomeo.EXE file, that is the main BleBla worm file.

To prevent scripts from executing attachments, the special patches from Microsoft should be installed:

http://www.microsoft.com/technet/security/bulletin/ms00-037.asp http://www.microsoft.com/technet/security/bulletin/ms00-046.asp

To get its components and save them to disk (to activate them) the worm uses special tricks that allow to access message components (including attached files) by ID. The worm describes its attached files in message header as having special IDs, and then accesses them by these IDs.

So, the worm activates itself automatically when an infected message is being opened or previewed. To activate itself the worm uses a vulnerability in Windows scripting security: the worm CHM component is able to run EXE program by a scripting object that is listed in \"safe for scripting\", so no warning messages are displayed when the worm runs its components (with default Windows settings).

The main worm component (MyRomeo.EXE file) is Windows PE executable file about 30Kb long. This file is compressed by UPX compression utility. Being unpacked it appears to be a 70Kb EXE file written in Delphi, the \"pure\" code in the file occupies just about 6Kb.

When it is run, it opens Windows Address Book, reads Email addresses from there and sends its HTML message with attached CHM and EXE files to there. To send infected messages the worm connects to one of six SMTP servers located in Poland. The message has the Subject that is randomly selected from the list:



Romeo&Juliet
:))))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You ;)
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer

The worm has a bug and doens\'t work correctly under some Windows98/NT English editions. The worm also is able to spread only in case Windows is installed to C:\\WINDOWS directory (that is hardcoded in worm code).


VARIANT: Blebla.b
ALIAS: IWorm_Blebla.b, I-Worm.Blebla.b


The BleBla.b is a remake of the original worm. When run it copies itself to \\Windows\\ folder as SYSRNJ.EXE and creates and modifies many Registry keys to activate this copy:



HKEY_CLASSES_ROOT\\rnjfile
    \\DefaultIcon        = %1
    \\shell\\open\\command = sysrnj.exe \"%1\" %*

The above mentioned key caused worm copy run when \"rnjfile\" is referred. Then the worm modifies the following keys:



HKEY_CLASSES_ROOT
      \\.exe  = rnjfile
      \\.jpg  = rnjfile
      \\.jpeg = rnjfile
      \\.jpe  = rnjfile
      \\.bmp  = rnjfile
      \\.gif  = rnjfile
      \\.avi  = rnjfile
      \\.mpg  = rnjfile
      \\.mpeg = rnjfile
      \\.wmf  = rnjfile
      \\.wma  = rnjfile
      \\.wmv  = rnjfile
      \\.mp3  = rnjfile
      \\.mp2  = rnjfile
      \\.vqf  = rnjfile
      \\.doc  = rnjfile
      \\.xls  = rnjfile
      \\.zip  = rnjfile
      \\.rar  = rnjfile
      \\.lha  = rnjfile
      \\.arj  = rnjfile
      \\.reg  = rnjfile

The above keys cause worm\'s copy start when any of files listed above are opened. The worm also checks checks what file was launched before its copy was activated. It it was \'REGEDIT\' (Registry Editor) or REG file, it tries to halt a system. In case of EXE file its execution continues. In all other cases the worm creates a \\Recycled\\ folder (if not present yet) renames the file-to-be-launched with random name to that folder (checks for duplicate files before that operation) and copies itself with the name of that file after adding .EXE extension to it.

The worm sends itself to alt.comp.virus newsgroups with messages:



From: \"Romeo&Juliet\" <romeo@juliet.v>
Subject:[Romeo&Juliet] R.i.P.

While sending its copies to personal address the worm uses empty Subject, random generated Subject, or the one from the below given list:



Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...\'
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^
Re:

Depending on some conditions the worm also creates directories with random names in \\Recycled\\ folder and then creates files with random names there.

Manual disinfection of BleBla.b variant requires the following steps:

First, make sure that a worm\'s file SYSRNJ.EXE is deleted (from DOS) and replaced with any other EXE program, REGEDIT.EXE for example (copy REGEDIT.EXE as SYSRNJ.EXE in \\Windows\\ folder). Don\'t restart your system before the SYSNRJ file contents are replaced with REGEDIT\'s ones or you will not be able to open many files including EXE ones.

Then open the Registry Editor (REGEDIT.EXE) and manually correct the following entries (default values are given). Replace \"rnjfile\" in Default value with the value given below. If Registry Editor is not starting, open DOS session, copy REGEDIT.EXE as REGEDIT.COM and start the COM file to open Registry Editor.

Note that the problem is that the below values depend on different software installed on a particular system, for example if ACDSEE picture viewer is installed, it associates images with itself (\\.jpg = \"ACDC_JPEG\"). So it is impossible to restore the associations to their old values on a particulat system. You have to use defaults.



HKEY_CLASSES_ROOT
      \\.exe  = \"exefile\"
      \\.jpg  = \"jpegfile\"
      \\.jpeg = \"jpegfile\"
      \\.jpe  = \"jpegfile\"
      \\.bmp  = \"Paint.Picture\"
      \\.gif  = \"giffile\"
      \\.avi  = \"avifile\"
      \\.mpg  = \"mpegfile\"
      \\.mpeg = \"mpegfile\"
      \\.wmf  = \"\"
      \\.wma  = \"WMAFile\"
      \\.wmv  = \"WMVFile\"
      \\.mp3  = \"Winamp.File\"
      \\.mp2  = \"Winamp.File\"
      \\.vqf  = \"\"
      \\.doc  = \"Wordpad.Document.1\"
      \\.xls  = \"\"
      \\.zip  = \"WinZip\"
      \\.rar  = \"WinZip\"
      \\.lha  = \"WinZip\"
      \\.arj  = \"WinZip\"
      \\.reg  = \"regfile\"

Then delete the following key used by the worm:



HKEY_CLASSES_ROOT\\rnjfile

The XLS association is not restored (leave empty) because it depends on a specific MS Office version installed. The MP2 and MP3 association is restored assuming that there\'s a WinAmp MP3 player in a system. ZIP, RAR, LHA and ARJ associations are restored assuming that there\'s a WinZip installed. The WMF and VQF are left empty.

[Analysis: Kaspersky Labs; F-Secure Corporation; November-December 2000]

NanoQ

Avatar billede hhjensen Nybegynder
24. august 2001 - 00:19 #3
Takker. Jeg har formateret min HD, det burde vidt holde den vaek!
Gaar den i adressekartoteket i Outlook?
Avatar billede NanoQ Nybegynder
24. august 2001 - 08:30 #4
Den \"gemmer\" sig ikke i adressekartoteket, hvis det er det du mener. Har du formatteret din disk, samt slettet den mail der gav dig virussen i første ombæring, er der ingen fare på færde :)
Avatar billede hhjensen Nybegynder
24. august 2001 - 09:10 #5
Det jeg mente var om den sender sig selv videre via adressekartoteket?
Avatar billede NanoQ Nybegynder
24. august 2001 - 09:13 #6
When it is run, it opens Windows Address Book, reads Email addresses from there and sends its HTML message with attached CHM and EXE files to there. To send infected messages the worm connects to one of six SMTP servers located in Poland.

Jeps... det gør den.

NanoQ
Avatar billede hhjensen Nybegynder
24. august 2001 - 10:22 #7
Kan jeg finde ud af hvem den har sendt sig til på andre måder end at kontakte alle i mit adressekartotek? (Jeg går ikke ud fra at man kan se det i sendt post)
Avatar billede NanoQ Nybegynder
24. august 2001 - 10:34 #8
Det kan du faktisk ikke... desværre..
Avatar billede hhjensen Nybegynder
24. august 2001 - 10:42 #9
Oki---jeg afventer folks vrede tilbagemeldinger!
Tak for hjælpen til jer begge!
Avatar billede NanoQ Nybegynder
24. august 2001 - 10:45 #10
velbekomme da, og tak for point :)

Du kunne jo komme vreden i forkøbet ved at sende en mail rundt hvor du advarer folk. Det kunne jo måske tænkes at de har fået virussen, uden selv at have opdaget det :)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester