Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

I-WORM/BLEBLA SPREADS USING IE SECURITY HOLE

                     I-Worm/Blebla aka I-Worm/Verona is an e-mail worm that exploits security vulnerabilities in Microsoft Internet Explorer. The infected e-mail contains two attachments namely MyRomeo.exe and MyJuliet.CHM. The attachments are embedded within the e-mail and it won't visible to the user. The worm is written in Borland Delphi and compressed with UPX file compressor.

                     When viewing the e-mail, the HTML code is executed first. The script stored within the HTML executes the CHM file. Then the CHM file takes control and executes MyRomeo.exe. It opens the windows address book and sends e-mail to all the users with worm attachments. It uses different SMTP servers located in Poland to send e-mail and also posts messages to alt.comp.virus news group.

The subject line is randomly selected from the following text:

Romeo&Juliet
:))))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You ;)
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer

I-Worm/Blebla.B

                     Blebla.B is a modified variant of Blebla worm. It is also packed with UPX compressor, uses the same techniques to infect. The infected e-mail contains two attachments namely XRomeo.exe and XJuliet.CHM. It changes several registry keys when infecting the machine and it should be fixed before deleting the main worm file SYSRNJ.EXE stored in Windows folder.

                     To clean this worm, use REGEDIT.EXE and change the registry entry HKEY_CLASSES_ROOT\.reg ="regfile" manually [In some cases, you should rename REGEDIT.EXE to REGEDIT.COM to edit registry]. Now you can run *.REG files. Then copy the following contents in a text file with .REG extension and double click it using explorer. Now the registry settings fixed. Then run FireLite and delete all infected files. Fire windows version won't require any manual recovery. It automatically fixes all registry entries.

REGEDIT4

[HKEY_CLASSES_ROOT\.exe]
@="exefile"

[HKEY_CLASSES_ROOT\.jpg]
@="jpegfile"

[HKEY_CLASSES_ROOT\.jpeg]
@="jpegfile"

[HKEY_CLASSES_ROOT\.jpe]
@="jpegfile"

[HKEY_CLASSES_ROOT\.bmp]
@="Paint.Picture"

[HKEY_CLASSES_ROOT\.gif]
@="giffile"

[HKEY_CLASSES_ROOT\.avi]
@="avifile"

[HKEY_CLASSES_ROOT\.mpg]
@="mpegfile"

[HKEY_CLASSES_ROOT\.mpeg]
@="mpegfile"

[HKEY_CLASSES_ROOT\.wmf]
@=""

[HKEY_CLASSES_ROOT\.wma]
@="WMAfile"

[HKEY_CLASSES_ROOT\.wmv]
@="WMVfile"

[HKEY_CLASSES_ROOT\.mp3]
@="Winamp.File"

[HKEY_CLASSES_ROOT\.mp2]
@="Winamp.File"

[HKEY_CLASSES_ROOT\.vqf]
@=""

[HKEY_CLASSES_ROOT\.doc]
@="Word.Document.8"

[HKEY_CLASSES_ROOT\.xls]
@="Excel.Sheet.8"

[HKEY_CLASSES_ROOT\.zip]
@="WinZip"

[HKEY_CLASSES_ROOT\.rar]
@="WinRAR"

[HKEY_CLASSES_ROOT\.lha]
@="WinZip"

[HKEY_CLASSES_ROOT\.arj]
@="WinZip"

[ Note: The registry settings assumes you have installed Microsoft Office 97 or above ]

The mail message subject of Blebla worm will be one of the following:

Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...'
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !
^_^

                     Blebla.B contains a dangerous payload and it will overwrite the files with worm code when you try to access the files with following extensions:

ARJ, .AVI, .BMP, .DOC .GIF, .JPG, .JPEG, .JPE .LHA, .MP2, .MP3, .MPG .RAR, .REF, MPEG, .VQF .WMF, .WMA, .WMV, .XLS, .ZIP.

How can I protect my system?

Fire has incorporated Blebla worm and its variants in virus signature file, with the aim of helping users affected by this worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file by using online update facility. It is available with the registered version of Fire anti-virus Kit.

Microsoft released security patches to close this hole long back. If you haven't installed, you can get a copy at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

How can I find my system is infected?

                     A free download of FireLite [ 1100KB ] version is also available to detect this worm. If you find this virus, use registered version of Fire to remove. To get the registered version of Fire call us at 044-28170440 or mail to service@fireav.com or purchase Fire online using

[Analysis: Mr.Vijay Kumar, Mr.Xavier, Prognet Technologies Pvt. Ltd, Sept. 2000]
.