McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• TROJ_BLEBLA.B

• W32/Verona-B

Characteristics

This is an Internet worm which implements an I-Frame exploit in HTML in order to run and propagate. This Internet worm was written in Delphi and compressed with UPX. It can arrive by email in HTML format with one of the following subject lines:

Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
merry christmas!
last wish ???
lol :)
,,...
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^

The email will appear to contain no contents or identifiable attachments however is encoded to contain two files, xromeo.exe and xjuliet.chm.

The HTML code instructs Windows to save the attachments to the C:\WINDOWS\TEMP folder and execute them from that location. The file XROMEO.EXE contains a copy of the HTML formatted email body and instructions. XROMEO.EXE retrieves information from the Internet Account Manager registry keys and attempts to uses this information to mail itself to all recipients in the Windows Address Book and post itself to the ALT.COMP.VIRUS newsgroup.

Newsgroup postings will contain the following header information:
From: "Romeo&Juliet"
Subject:[Romeo&Juliet] R.i.P.

Registry keys are modified which prevents the following file types from opening:

.ARJ, .AVI, .BMP, .DOC .GIF, .JPG, .JPEG, .JPE .LHA, .MP2, .MP3, .MPG .RAR, .REF, MPEG, .VQF .WMF, .WMA, .WMV, .XLS, .ZIP

Symptoms

Creation of two files into the C:\WINDOWS\TEMP folder named XROMEO.EXE and XJULIET.CHM after receiving and reading an email message mentioned in the characteristics section. Communication through TCP/IP to the following IP addresses by the Internet worm:

195.117.117.6
212.244.197.164
195.205.96.185
195.116.104.14
195.117.3.111
195.116.221.65
212.244.67.20
194.181.138.141
195.205.121.183
195.117.88.7
212.160.95.1
212.244.241.81
195.205.208.33
212.106.133.133
195.116.72.5
213.25.175.3
195.117.99.98
213.25.111.2

Complaints by infected users that you sent them the Internet worm

Method of Infection

This Internet worm uses four different vulnerabilities in an attempt to run its code:

"IFRAME ExecCommand" Vulnerability

"Cache Bypass" Vulnerability

"scriptlet.typelib/Eyedog" Vulnerability

"HTML Help File Code Execution" Vulnerability

This Internet worm is contained within an HTML coded email message which also has two file attachments. The HTML code contains the "IFRAME ExecCommand" Vulnerability coupled with the "Cache Bypass" Vulnerability, allowing the two file attachments XROMEO.EXE and XJULIET.CHM to be saved to the local machine into the TEMP folder without notification to the user.

The file XJULIET.CHM is executed from the TEMP folder - it contains the "scriptlet.typelib/Eyedog" Vulnerability. This compiled HTML file contains only a couple of lines instructing to run a signed control for compiled HTML help files (HH.EXE)in order to run XROMEO.EXE via this vulnerability.

XROMEO.EXE copies itself to: "C:\WINDOWS\SYSRNJ.EXE" and creates the following key values:

HKCR\rnjfile\shell\open\command\(Default)=sysrnj.exe "%1" %*
HKCR\rnjfile\DefaultIcon\(Default)=%1
HKCR\.exe\(Default)=rnjfile
HKCR\.jpg\(Default)=rnjfile
HKCR\.jpeg\(Default)=rnjfile
HKCR\.jpe\(Default)=rnjfile
HKCR\.bmp\(Default)=rnjfile
HKCR\.gif\(Default)=rnjfile
HKCR\.avi\(Default)=rnjfile
HKCR\.mpg\(Default)=rnjfile
HKCR\.mpeg\(Default)=rnjfile
HKCR\.wmf\(Default)=rnjfile
HKCR\.wma\(Default)=rnjfile
HKCR\.wmv\(Default)=rnjfile
HKCR\.mp3\(Default)=rnjfile
HKCR\.mp2\(Default)=rnjfile
HKCR\.vqf\(Default)=rnjfile
HKCR\.doc\(Default)=rnjfile
HKCR\.xls\(Default)=rnjfile
HKCR\.zip\(Default)=rnjfile
HKCR\.rar\(Default)=rnjfile
HKCR\.lha\(Default)=rnjfile
HKCR\.arj\(Default)=rnjfile
HKCR\.reg\(Default)=rnjfile

These changes instruct windows to launch the worm instead of the intended file.

Removal

Use specified engine and DAT files for detection.

- The 4120 engine can repair the registry key values that are retrievable.
- For pre-4120 engines, use this BleBlaBUNDO.inf file to repair the registry key values that are retrievable
(Once downloaded, RIGHT-CLICK on the file and choose INSTALL)
NOTE: BleBlaBUNDO.inf restors values back to their original, Windows default, settings. Some customized file associations may have to be reconfigured after using this BleBlaBUNDO.inf file. It shouldonly be used when you have a confirmed infection or if you are unable to run .EXE files.

The remaining values must be restored from backup or by the programs that created them. Those keys are as follows:

HKEY_CURRENT_USER\.arj
HKEY_CURRENT_USER\.doc
HKEY_CURRENT_USER\.lha
HKEY_CURRENT_USER\.mpeg
HKEY_CURRENT_USER\.rar
HKEY_CURRENT_USER\.vqf
HKEY_CURRENT_USER\.wmf
HKEY_CURRENT_USER\.xls
HKEY_CURRENT_USER\.zip

AVERT Recommended Updates :

* scriptlet.typelib/Eyedog vulnerability patch

* Malformed E-mail MIME Header vulnerability patch

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• TROJ_BLEBLA.B

• W32/Verona-B

Characteristics

Characteristics -

This is an Internet worm which implements an I-Frame exploit in HTML in order to run and propagate. This Internet worm was written in Delphi and compressed with UPX. It can arrive by email in HTML format with one of the following subject lines:

Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
merry christmas!
last wish ???
lol :)
,,...
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^

The email will appear to contain no contents or identifiable attachments however is encoded to contain two files, xromeo.exe and xjuliet.chm.

The HTML code instructs Windows to save the attachments to the C:\WINDOWS\TEMP folder and execute them from that location. The file XROMEO.EXE contains a copy of the HTML formatted email body and instructions. XROMEO.EXE retrieves information from the Internet Account Manager registry keys and attempts to uses this information to mail itself to all recipients in the Windows Address Book and post itself to the ALT.COMP.VIRUS newsgroup.

Newsgroup postings will contain the following header information:
From: "Romeo&Juliet"
Subject:[Romeo&Juliet] R.i.P.

Registry keys are modified which prevents the following file types from opening:

.ARJ, .AVI, .BMP, .DOC .GIF, .JPG, .JPEG, .JPE .LHA, .MP2, .MP3, .MPG .RAR, .REF, MPEG, .VQF .WMF, .WMA, .WMV, .XLS, .ZIP

Symptoms

Symptoms -

Creation of two files into the C:\WINDOWS\TEMP folder named XROMEO.EXE and XJULIET.CHM after receiving and reading an email message mentioned in the characteristics section. Communication through TCP/IP to the following IP addresses by the Internet worm:

195.117.117.6
212.244.197.164
195.205.96.185
195.116.104.14
195.117.3.111
195.116.221.65
212.244.67.20
194.181.138.141
195.205.121.183
195.117.88.7
212.160.95.1
212.244.241.81
195.205.208.33
212.106.133.133
195.116.72.5
213.25.175.3
195.117.99.98
213.25.111.2

Complaints by infected users that you sent them the Internet worm

Method of Infection

Method of Infection -

This Internet worm uses four different vulnerabilities in an attempt to run its code:

"IFRAME ExecCommand" Vulnerability

"Cache Bypass" Vulnerability

"scriptlet.typelib/Eyedog" Vulnerability

"HTML Help File Code Execution" Vulnerability

This Internet worm is contained within an HTML coded email message which also has two file attachments. The HTML code contains the "IFRAME ExecCommand" Vulnerability coupled with the "Cache Bypass" Vulnerability, allowing the two file attachments XROMEO.EXE and XJULIET.CHM to be saved to the local machine into the TEMP folder without notification to the user.

The file XJULIET.CHM is executed from the TEMP folder - it contains the "scriptlet.typelib/Eyedog" Vulnerability. This compiled HTML file contains only a couple of lines instructing to run a signed control for compiled HTML help files (HH.EXE)in order to run XROMEO.EXE via this vulnerability.

XROMEO.EXE copies itself to: "C:\WINDOWS\SYSRNJ.EXE" and creates the following key values:

HKCR\rnjfile\shell\open\command\(Default)=sysrnj.exe "%1" %*
HKCR\rnjfile\DefaultIcon\(Default)=%1
HKCR\.exe\(Default)=rnjfile
HKCR\.jpg\(Default)=rnjfile
HKCR\.jpeg\(Default)=rnjfile
HKCR\.jpe\(Default)=rnjfile
HKCR\.bmp\(Default)=rnjfile
HKCR\.gif\(Default)=rnjfile
HKCR\.avi\(Default)=rnjfile
HKCR\.mpg\(Default)=rnjfile
HKCR\.mpeg\(Default)=rnjfile
HKCR\.wmf\(Default)=rnjfile
HKCR\.wma\(Default)=rnjfile
HKCR\.wmv\(Default)=rnjfile
HKCR\.mp3\(Default)=rnjfile
HKCR\.mp2\(Default)=rnjfile
HKCR\.vqf\(Default)=rnjfile
HKCR\.doc\(Default)=rnjfile
HKCR\.xls\(Default)=rnjfile
HKCR\.zip\(Default)=rnjfile
HKCR\.rar\(Default)=rnjfile
HKCR\.lha\(Default)=rnjfile
HKCR\.arj\(Default)=rnjfile
HKCR\.reg\(Default)=rnjfile

These changes instruct windows to launch the worm instead of the intended file.

Removal -

Removal -

Use specified engine and DAT files for detection.

- The 4120 engine can repair the registry key values that are retrievable.
- For pre-4120 engines, use this BleBlaBUNDO.inf file to repair the registry key values that are retrievable
(Once downloaded, RIGHT-CLICK on the file and choose INSTALL)
NOTE: BleBlaBUNDO.inf restors values back to their original, Windows default, settings. Some customized file associations may have to be reconfigured after using this BleBlaBUNDO.inf file. It shouldonly be used when you have a confirmed infection or if you are unable to run .EXE files.

The remaining values must be restored from backup or by the programs that created them. Those keys are as follows:

HKEY_CURRENT_USER\.arj
HKEY_CURRENT_USER\.doc
HKEY_CURRENT_USER\.lha
HKEY_CURRENT_USER\.mpeg
HKEY_CURRENT_USER\.rar
HKEY_CURRENT_USER\.vqf
HKEY_CURRENT_USER\.wmf
HKEY_CURRENT_USER\.xls
HKEY_CURRENT_USER\.zip

AVERT Recommended Updates :

* scriptlet.typelib/Eyedog vulnerability patch

* Malformed E-mail MIME Header vulnerability patch

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A