BleBla is a worm spreading via Internet. It was discovered in
Poland on November 16th, 2000. The worm appears as an email
message that has HTML formal and 2 attached files: MyJuliet.CHM
and MyRomeo.EXE.
When an infected message is opened, the HTML part of it is
executed. That part contains a script program that is
automatically activated by Windows. The script program loads and
activates the CHM component of the message (the MyJuliet.CHM
file). The CHM component is Compressed HTML page and it is
processed as HTML Help file. It contains one more script in it.
This script executes the MyRomeo.EXE file, that is the main
BleBla worm file.
To prevent scripts from executing attachments, the special patches
from Microsoft should be installed:
http://www.microsoft.com/technet/security/bulletin/ms00-037.asp
http://www.microsoft.com/technet/security/bulletin/ms00-046.asp
To get its components and save them to disk (to activate them)
the worm uses special tricks that allow to access message
components (including attached files) by ID. The worm describes
its attached files in message header as having special IDs, and
then accesses them by these IDs.
So, the worm activates itself automatically when an infected
message is being opened or previewed. To activate itself the worm
uses a vulnerability in Windows scripting security: the worm CHM
component is able to run EXE program by a scripting object that
is listed in "safe for scripting", so no warning messages are
displayed when the worm runs its components (with default Windows
settings).
The main worm component (MyRomeo.EXE file) is Windows PE
executable file about 30Kb long. This file is compressed by UPX
compression utility. Being unpacked it appears to be a 70Kb EXE
file written in Delphi, the "pure" code in the file occupies just
about 6Kb.
When it is run, it opens Windows Address Book, reads Email
addresses from there and sends its HTML message with attached CHM
and EXE files to there. To send infected messages the worm
connects to one of six SMTP servers located in Poland. The
message has the Subject that is randomly selected from the list:
Romeo&Juliet
:))))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You ;)
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer
The worm has a bug and doens't work correctly under some
Windows98/NT English editions. The worm also is able to spread
only in case Windows is installed to C:\WINDOWS directory (that
is hardcoded in worm code).
The BleBla.b is a remake of the original worm. When run it copies
itself to \Windows\ folder as SYSRNJ.EXE and creates and modifies
many Registry keys to activate this copy:
HKEY_CLASSES_ROOT\rnjfile
\DefaultIcon = %1
\shell\open\command = sysrnj.exe "%1" %*
The above mentioned key caused worm copy run when "rnjfile" is
referred. Then the worm modifies the following keys:
HKEY_CLASSES_ROOT
\.exe = rnjfile
\.jpg = rnjfile
\.jpeg = rnjfile
\.jpe = rnjfile
\.bmp = rnjfile
\.gif = rnjfile
\.avi = rnjfile
\.mpg = rnjfile
\.mpeg = rnjfile
\.wmf = rnjfile
\.wma = rnjfile
\.wmv = rnjfile
\.mp3 = rnjfile
\.mp2 = rnjfile
\.vqf = rnjfile
\.doc = rnjfile
\.xls = rnjfile
\.zip = rnjfile
\.rar = rnjfile
\.lha = rnjfile
\.arj = rnjfile
\.reg = rnjfile
The above keys cause worm's copy start when any of files listed
above are opened. The worm also checks checks what file was
launched before its copy was activated. It it was 'REGEDIT'
(Registry Editor) or REG file, it tries to halt a system. In case
of EXE file its execution continues. In all other cases the worm
creates a \Recycled\ folder (if not present yet) renames the
file-to-be-launched with random name to that folder (checks for
duplicate files before that operation) and copies itself with the
name of that file after adding .EXE extension to it.
The worm sends itself to alt.comp.virus newsgroups with messages:
From: "Romeo&Juliet" <romeo@juliet.v>
Subject:[Romeo&Juliet] R.i.P.
While sending its copies to personal address the worm uses empty
Subject, random generated Subject, or the one from the below
given list:
Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...'
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^
Re:
Depending on some conditions the worm also creates directories
with random names in \Recycled\ folder and then creates files
with random names there.
Manual disinfection of BleBla.b variant requires the following
steps:
First, make sure that a worm's file SYSRNJ.EXE is deleted (from
DOS) and replaced with any other EXE program, REGEDIT.EXE for
example (copy REGEDIT.EXE as SYSRNJ.EXE in \Windows\ folder).
Don't restart your system before the SYSNRJ file contents are
replaced with REGEDIT's ones or you will not be able to open many
files including EXE ones.
Then open the Registry Editor (REGEDIT.EXE) and manually correct
the following entries (default values are given). Replace
"rnjfile" in Default value with the value given below. If
Registry Editor is not starting, open DOS session, copy
REGEDIT.EXE as REGEDIT.COM and start the COM file to open
Registry Editor.
Note that the problem is that the below values depend on
different software installed on a particular system, for example
if ACDSEE picture viewer is installed, it associates images with
itself (\.jpg = "ACDC_JPEG"). So it is impossible to restore the
associations to their old values on a particulat system. You have
to use defaults.
HKEY_CLASSES_ROOT
\.exe = "exefile"
\.jpg = "jpegfile"
\.jpeg = "jpegfile"
\.jpe = "jpegfile"
\.bmp = "Paint.Picture"
\.gif = "giffile"
\.avi = "avifile"
\.mpg = "mpegfile"
\.mpeg = "mpegfile"
\.wmf = ""
\.wma = "WMAFile"
\.wmv = "WMVFile"
\.mp3 = "Winamp.File"
\.mp2 = "Winamp.File"
\.vqf = ""
\.doc = "Wordpad.Document.1"
\.xls = ""
\.zip = "WinZip"
\.rar = "WinZip"
\.lha = "WinZip"
\.arj = "WinZip"
\.reg = "regfile"
Then delete the following key used by the worm:
HKEY_CLASSES_ROOT\rnjfile
The XLS association is not restored (leave empty) because it
depends on a specific MS Office version installed. The MP2 and
MP3 association is restored assuming that there's a WinAmp MP3
player in a system. ZIP, RAR, LHA and ARJ associations are
restored assuming that there's a WinZip installed. The WMF and
VQF are left empty.
[Analysis: Kaspersky Labs; F-Secure Corporation; November-December 2000]
