open

W32/BleBla.a@MM

This page shows details and results of our analysis on the malware W32/BleBla.a@MM

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Internet Worm
  • Protection Added: 2000-11-16

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

29,184 (Myromeo.exe)

Description Added

2000-11-16

Description Modified

2001-02-01

Malware Proliferation

This is an Internet worm which implements an I-Frame exploit in HTML in order to run and propagate. This Internet worm was written in Delphi and compressed with UPX.

This worm can arrive by email in HTML format with one of the following subject lines:

ble bla, bee
I Love You ;
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer

The email will appear to contain no contents or identifiable attachments however is encoded to contain two files, myromeo.exe and myjuliet.chm.

The HTML code instructs Windows to save the attachments to the C:\WINDOWS\TEMP folder and execute them from that location. The file MYROMEO.EXE contains a copy of the HTML formatted email body and instructions. MYROMEO reads addresses from the Windows Address Book (.WAB file) and sends itself to users listed there by using one of several available SMTP servers.

Creation of two files into the C:\WINDOWS\TEMP folder named MYROMEO.EXE and MYJULIET.CHM after receiving and reading an email message mentioned in the characteristics section.

Communication through TCP/IP to the following IP addresses by the Internet worm:

194.153.216.60
195.117.152.91
195.116.62.86
195.117.99.98
212.244.199.2
213.25.111.2

And of course complaints by infected users that you sent them the Internet worm.

This Internet worm uses four different vulnerabilities in an attempt to run its code:

"IFRAME ExecCommand" Vulnerability

"Cache Bypass" Vulnerability

"scriptlet.typelib/Eyedog" Vulnerability

"HTML Help File Code Execution" Vulnerability

This Internet worm is contained within an HTML coded email message which also has two file attachments. The HTML code contains the "IFRAME ExecCommand" Vulnerability coupled with the "Cache Bypass" Vulnerability, allowing the two file attachments MYROMEO.EXE and MYJULIET.CHM to be saved to the local machine into the TEMP folder without notification to the user.

The file MYJULIET.CHM is executed from the TEMP folder - it contains the "scriptlet.typelib/Eyedog" Vulnerability. This compiled HTML file contains only a couple of lines instructing to run a signed control for compiled HTML help files (HH.EXE)in order to run MYROMEO.EXE via this vulnerability.

MYROMEO reads addresses from the Windows Address Book (.WAB file) and sends itself to users listed there by using one of several available SMTP servers.

The SMTP IP addresses are chosen from the following list:

194.153.216.60
195.117.152.91
195.116.62.86
195.117.99.98
212.244.199.2
213.25.111.2

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.