Techguy
November 30, 2000, 10:41 pm
TROJ_BLEBLA.B
Risk rating:
Virus type: Trojan
Destructive: Y
Aliases:
BLEBLA.B, Romeo, Juliet, Verona, Verona.B, Romeo&Juliet
Description:
This Trojan is a variant of TROJ_BLEBLA.A and is an Internet worm which spreads by emailing a copy of itself to all addresses found in an infected user’s PC.
In the wild: Yes
Detected by pattern file#: 812
Detected by scan engine#: 5.170
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 32,758 Bytes
Details:
This Trojan is a variant of TROJ_BLEBLA.A and is an Internet worm that spreads by sending a copy of itself to all addresses found in the infected user’s PC. It is a destructive virus.
Upon execution, it drops the file SYSRNJ.EXE in the Windows folder and creates a new file type called “rnjfile”.
The Trojan also changes the registration of the following files and makes itself the default program to run the following filetypes:
– EXE
– JPG, JPEG, JPE, BMP, GIF
– AVI, MPG, MPEG
– WMF, WMA, WMV
– MP3, MP2, VQF
– DOC, XLS
– ZIP, RAR, LHA, ARJ
– REG
Once it has associated itself to the file types mentioned above, upon execution it will overwrite those files with its own code and make the file executable. For example, double-clicking on the file FILENAME.ZIP overwrites the file and its filename is changed to FILENAME.ZIP.EXE. Its size is now 34KB in size, and is a copy of the Trojan.
After it registers itself, it sends an email with the subject line that may be blank, or made up of random lower case letters arranged into three or less words which are chosen from the following:
Subject: Romeo&Juliet
Subject: where is my juliet ?
Subject: where is my romeo ?
Subject: hi
Subject: last wish ???
Subject: lol http://www.helpfromtechs.com/ubb/smilies/smile.gif
Subject: ,,...
Subject: !!!
Subject: newborn
Subject:merry christmas!
Subject:suprise !
Subject: Caution: NEW VIRUS !
Subject: scandal !
Subject: ^_^
The Trojan file SYSRNJ.EXE is a Windows PE Trojan which sends email to all lists in the address book of the infected user. It uses the following 18 pre-defined SMTP servers to send the email:
212.244.199.2
195.117.152.91
195.116.62.86
194.153.216.60
195.117.99.98
213.25.111.2
Risk rating:
Virus type: Trojan
Destructive: Y
Aliases:
BLEBLA.B, Romeo, Juliet, Verona, Verona.B, Romeo&Juliet
Description:
This Trojan is a variant of TROJ_BLEBLA.A and is an Internet worm which spreads by emailing a copy of itself to all addresses found in an infected user’s PC.
In the wild: Yes
Detected by pattern file#: 812
Detected by scan engine#: 5.170
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 32,758 Bytes
Details:
This Trojan is a variant of TROJ_BLEBLA.A and is an Internet worm that spreads by sending a copy of itself to all addresses found in the infected user’s PC. It is a destructive virus.
Upon execution, it drops the file SYSRNJ.EXE in the Windows folder and creates a new file type called “rnjfile”.
The Trojan also changes the registration of the following files and makes itself the default program to run the following filetypes:
– EXE
– JPG, JPEG, JPE, BMP, GIF
– AVI, MPG, MPEG
– WMF, WMA, WMV
– MP3, MP2, VQF
– DOC, XLS
– ZIP, RAR, LHA, ARJ
– REG
Once it has associated itself to the file types mentioned above, upon execution it will overwrite those files with its own code and make the file executable. For example, double-clicking on the file FILENAME.ZIP overwrites the file and its filename is changed to FILENAME.ZIP.EXE. Its size is now 34KB in size, and is a copy of the Trojan.
After it registers itself, it sends an email with the subject line that may be blank, or made up of random lower case letters arranged into three or less words which are chosen from the following:
Subject: Romeo&Juliet
Subject: where is my juliet ?
Subject: where is my romeo ?
Subject: hi
Subject: last wish ???
Subject: lol http://www.helpfromtechs.com/ubb/smilies/smile.gif
Subject: ,,...
Subject: !!!
Subject: newborn
Subject:merry christmas!
Subject:suprise !
Subject: Caution: NEW VIRUS !
Subject: scandal !
Subject: ^_^
The Trojan file SYSRNJ.EXE is a Windows PE Trojan which sends email to all lists in the address book of the infected user. It uses the following 18 pre-defined SMTP servers to send the email:
212.244.199.2
195.117.152.91
195.116.62.86
194.153.216.60
195.117.99.98
213.25.111.2