worm_bebla.b of troj_bebla.b

[sha]

hallo
ik heb een virus op mn computer en hij heette eerst toen ik hem vond met de virusscan troj.bebla.b. en later worm.bebla.b.
Hij kan volgens de scan niet gecleand worden.
Wie weet wat ik eraan moet doen en wat doet deze virus met je computer.

ps ik heb info over deze virus gevonden.

---------------------------------------------
This is a worm virus spreading via the Internet. It was discovered in Poland on November 16 2000. The worm arrives as an email message in HTML format containing two attached files: MYJULIET.CHM and MYROMEO.EXE.
When the infected message is opened, the HTML part of it is executed. That part contains a script program that is automatically activated by Windows. By using a vulnerability in Windows scripting the script program loads and activates the CHM component of the message (the MYJULIET.CHM file). That CHM component is a Compressed HTML page itself and contains one more script program in it. That second script executes the MYROMEO.EXE file - the main worm body.

So, the worm activates itself automatically when an infected message is being opened or previewed. To activate itself the worm uses a vulnerability in Windows scripting security: the worm HTML component is able to run the EXE component by a method that is listed in "safe scripting", so no warning messages are displayed when the worm runs its components (under default Windows settings).

The main worm component (MYROMEO.EXE file) is a Windows PE executable file about 30Kb of length. This file is compressed by the UPX compression utility. When unpacked it appears to be a 70Kb EXE file written in Delphi, the "pure" code in the file occupies just about 6Kb.

When it is run, it opens the Windows Address Book, reads Email addresses from there and sends its HTML message with attached CHM and EXE files to those addresse. The message has the Subject that is randomly selected from the list:

Romeo&Juliet
)))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer

The worm has a bug and doesn't work correctly under some Windows98/NT English editions. The worm also is able to spread only if Windows is installed in the C:\WINDOWS directory (that is hardcoded in worm code).
Blebla.b
A remake of the original worm. When it starts it copies itself to the system using the filename "c:\windows\sysrnj.exe" and creates and modifies many Registry keys to activate this copy:
HKEY_CLASSES_ROOT\rnjfile
\DefaultIcon = %1
\shell\open\command = sysrnj.exe "%1" %*

this key causes the worm copy to run when "rnjfile" is referred. Then the worm modifies the keys:
HKEY_CLASSES_ROOT
\.exe = rnjfile
\.jpg = rnjfile
\.jpeg = rnjfile
\.jpe = rnjfile
\.bmp = rnjfile
\.gif = rnjfile
\.avi = rnjfile
\.mpg = rnjfile
\.mpeg = rnjfile
\.wmf = rnjfile
\.wma = rnjfile
\.wmv = rnjfile
\.mp3 = rnjfile
\.mp2 = rnjfile
\.vqf = rnjfile
\.doc = rnjfile
\.xls = rnjfile
\.zip = rnjfile
\.rar = rnjfile
\.lha = rnjfile
\.arj = rnjfile
\.reg = rnjfile

these keys cause the worm copy to start when any of the filetypes listed above are opened. The worm sends itself to alt.comp.virus newsgroups with messages:
From: "Romeo&Juliet" <romeo@juliet.v>
Subject:[Romeo&Juliet] R.i.P.

While sending its copies to the personal address the worm uses an empty Subject, random generated Subject, or one from the list:
Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol
,,...'
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^
Re:

Depending on some conditions the worm also creates disk directories with random name in the \Recycled folder and creates random named files in there.

---------------------------------------------

maar er staat dus niet wat je ertegen kunt doen!!!

en ik heb hem waarschijnlijk via een attatchement gekregen genaamd : cijfer.xls.exe

[Dit bericht is aangepast door sha (03-01-2002).]

[ick]

andere virusscanner of format c:

meer ken jen ie doen om der vanaf te kome

[dystopia]

-> s&m