Virus Database

I-Worm.Blebla.a

Description I-Worm.Blebla.a

This is a worm virus spreading via the Internet. It was discovered in Poland on November 16, 2000. The worm appears as an e-mail message that has the HTML format and has two attached files: MYJULIET.CHM and MYROMEO.EXE.
When an infected message is opened, the HTML part of it is executed. This part contains a script program that is automatically activated by Windows. By using a vulnerability in Windows scripting, the script program loads and activates the CHM component of the message (the MYJULIET.CHM file). That CHM component is a Compressed HTML page itself and contains one more script program in it. That second script executes the MYROMEO.EXE file, which is the main worm body itself.
So, the worm activates itself automatically when an infected message is being opened or previewed. To activate itself, the worm uses a vulnerability in Windows scripting security: the worm's HTML component is able to run a EXE component by a method that is listed in "save scripting," so no warning messages are displayed when the worm runs its components (under default Windows settings).
The main worm component (MYROMEO.EXE file) is a Windows PE executable file about 30Kb in length. This file is compressed by a UPX compression utility. Being unpacked, it appears to be a 70Kb EXE file written in Delphi, and the "pure" code in the file occupies just about 6Kb.
When it is run, it opens the Windows Address Book, reads E-mail addresses from there and sends its HTML message with attached CHM and EXE files there. The message has a Subject that is randomly selected from the following list:
Romeo&Juliet
:))))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You ;)
sorryall
Hey you !
Matrix has you...
my picture
from shake-beer
The worm has a bug and doens't work correctly under some Windows98/NT English editions. The worm also is able to spread only in case Windows is installed to C:WINDOWS directory (that is hardcoded in worm code).
Blebla.b
A remake of original worm. When starts it copies itself to system with "c:windowssysrnj.exe" name and creates and modifies many Registry key to activate this copy:
HKEY_CLASSES_ROOT njfile
DefaultIcon = %1
shellopencommand = sysrnj.exe "%1" %*
this key caused worm copy run when "rnjfile" is referred. Then the worm modifies key:
HKEY_CLASSES_ROOT .exe = rnjfile
.jpg = rnjfile
.jpeg = rnjfile
.jpe = rnjfile
.bmp = rnjfile
.gif = rnjfile
.avi = rnjfile
.mpg = rnjfile
.mpeg = rnjfile
.wmf = rnjfile
.wma = rnjfile
.wmv = rnjfile
.mp3 = rnjfile
.mp2 = rnjfile
.vqf = rnjfile
.doc = rnjfile
.xls = rnjfile
.zip = rnjfile
.rar = rnjfile
.lha = rnjfile
.arj = rnjfile
.reg = rnjfile
these keys cause worm copy start when any of files listed above are opened.
The worm sends itself to alt.comp.virus newsgroups with messages:
From: "Romeo&Juliet" [romeo@juliet.v]
Subject:[Romeo&Juliet] R.i.P.
While sending its copies to personal address the worm uses empty Subject, random generated Subject, or one from the list:
Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...'
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^
Re:
Depending on some conditions the worm also created disk directories with random name in Recycled folder and creates random named files in there.

Check other viruses! Be aware! Use Antiviral Software

Kotos.870

Description Kotos.870

It is not a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM files that are executed. When F12 key is pressed, the virus beeps by the PC speaker and turns on Num/Caps/ScrollLock keys. The virus also calculates program executions and on 32th execution beeps by the PC speaker and displays the message:
szczescie ziemia pachniec winno
strzez sie plucia pod wiatr
RAMIREZ K2K (c) 1996 Lochow
(pozdrowienia dla pani Katarzyny Koros)

KOV Family

Description KOV Family

These are very dangerous nonmemory resident parasitic viruses. They search for COM and EXE files, then write themselves to the end of the file. The viruses do not infect the files HW*.* and CO*.*. If file with one of th @ @ @ (Type_E/Last Ver.) VIRUS...
(c) KOV (Knight Of Virus)/ Corea 9192/04/02

"Next.1785,1798":
The Return of N.EX.T part I The Being ...
Message from SVS(Seoul Virus Society) 1994/07/26

KOV.Wanderer
These are memory resident viruses. They hook INT 21h and write themselves to beginning of COM and to the end of EXE files that are accessed. "Wanderer.1768" also searches for files and infects them.
"Wanderer.1347" is a harmless virus, it does not manifest itself in any way. "Wanderer.1332" drops a trojan jorse. Other viruses depending on the system time erase disk sector, the CMOS and halt the computer.
The viruses contain the texts:
"Wanderer.1347": [I am a Wanderer ,May 30th,1994 Korea]
"Wanderer.1589":
[The KEEPER by SVS in KOREA,1994/07/08]
Don't use any anti-virus program to cure it.
"Wanderer.1591":
[The KEEPER by SVS in KOREA,1994/07/11]
Warning! Don't use any anti-virus program to cure it.
"Wanderer.1768":
*.EXE
[I am a ASSASSIN by SVS in KOREA,1994/07/16]
Warning?! Don't use any anti-virus program to cure it.

Home