W32/Blebla@mm.Worm
| W32/Blebla@mm.Worm |
Destructivity:  Spreading: Overall risk: 
|
| • Detected by virus detection files published: 11/16/2000 | • Type: Worm |
| • Virus characteristics first published: 11/16/2000 | • Spreading mechanism: Email |
| • Virus characteristics latest update: 3/17/2004 | • Overall risk: Low |
| • Alias: W32/Verona | • Payload: |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
Email characteristics:
The MyRomeo.exe is a regular Win32 EXE file, written in Delphi and compressed using the well-known compressor UPX. When run it will access the user's Outlook Address Book and send itself to addresses listed there. The e-mail is sent through one out of six different Polish mail servers. The mail will arrive with one out of twelve different subjects:
VariantsW32/Blebla.BThis variant will arrive in email with one of the following subjects:
W32/Blebla.B sends a message to the news group alt.comp.virus. From: "Romeo&Juliet" <romeo@juliet.v> Upon execution the worm copies itself to c:\windows\sysrnj.exe. It then modifies the Registry to executed itself when any file with one of the extensions mentioned below is opened. The .B variant of the worm creates a new Registry key HKEY_CLASSES_ROOT\rnjfile and then modifies the following keys so every file with one of these file types will be associated with rnjfile and opened by sysrnj.exe (defined in the abovementioned Registry key). The (Default) value in each of the following keys is changed to rnjfile HKEY_CLASSES_ROOT |
||||||||||||||