Blebla
Blebla
Type Email worm
Creator
Date Discovered 2000.11.15
Place of Origin Poland
Source Language Delphi
Platform DOS
File Type(s) .com, .exe
Infection Length 2,403-2,418 bytes
Reported Costs

Blebla, also known as Romeo and Juliet or Verona is an email worm from relatively early in the era of worms. It first appeared in late autumn of 2000 in Poland. It was also one of the earlier email worms that could infect a system automatically without requiring the user to manually download and run it. It spreads using four vulnerabilities, including "IFRAME ExecCommand" Vulnerability", "Cache Bypass" Vulnerability, "scriptlet.typelib/Eyedog" Vulnerability, and "HTML Help File Code Execution" Vulnerability.

Behavior

Blebla arrives in an email attachment with one of the following subject lines:

  • Romeo&Juliet
  • :))))))
  • hello world
  • !!??!?!?
  • subject
  • ble bla, bee
  • I Love You ;)
  • sorry…
  • Hey you !
  • Matrix has you…
  • my picture
  • from shake-beer

It has two attachments, named Myjuliet.chm and Myromeo.exe. The body contains HTML that saves the attachments to the Windows Temp folder and runs the Myjuliet.chm file. This file then executes the main worm body contained in Myromeo.exe. Myromeo.exe spawns a task named Romeo&Juliet, which can be seen in the task manager. It looks for a process named HH.exe (the program that handles .chm files) and tries to kill it to avoid alerting the user of its presence.

It then tries to propogate itself using six mail servers located in Poland including the following, none of which work any longer:

  • 213.25.111.2 memo.gate.pl
  • 194.153.216.60 mail.getin.pl
  • 195.117.152.91 dns.inter-grafix.com.pl
  • 212.244.199.2 gate.paranormix.net.pl
  • 195.116.62.86 madmax.quadsoft.com
  • 195.117.99.98 promail.pl

The worm has its own SMTP engine. It attempts to connect to one of the these servers and tries to send its email message with MIME-encoded attachments.

Variants

Blebla managed to produce a few variants, none of which were significantly more popular than the original.

Blebla.B

This variant is very similar to the original. Its attachments are named Xromeo.exe and Xjuliet.chm. Its potential subject lines include the following:

  • Romeo&Juliet
  • where is my juliet ?
  • where is my romeo ?
  • hi
  • last wish ???
  • lol :)
  • ,,…
  • !!!
  • newborn
  • merry christmas!
  • surprise !
  • Caution: NEW VIRUS !
  • scandal !
  • ^_^
  • Re:

It has an unusual method of running itself once it has been installed to the system. It alters the registry to execute the Sysrnj.exe file from the Windows folder whenever an .exe file is executed. It also alters several registry keys relevant to filles with the following extensions:

  • .jpg
  • .jpeg
  • .jpe
  • .bmp
  • .gif
  • .avi
  • .mpg
  • .mpeg
  • .wmf
  • .wma
  • .wmv
  • .mp3
  • .mp2
  • .vqf
  • .doc
  • .xls
  • .zip
  • .rar
  • .lha
  • .arj
  • .reg

When the user tries to run a file with one of the above extensions, the worm removes that file and copies itself to that location with the name of the opened file plus an .exe extension and moves the original file to the Recycled folder (which it will create if none exists). For example, if the user runs RARE_PEPE.gif, the worm will copy itself as RARE_PEPE.gif.exe and send RARE_PEPE.gif to the recycle bin, and the user will not see the gif file.

It tries to connect to a larger number of servers, including:

  • 195.117.117.6
  • 212.244.197.164
  • 195.205.96.185
  • 195.116.104.14
  • 195.117.3.111
  • 195.116.221.65
  • 212.244.67.20
  • 194.181.138.141
  • 195.205.121.183
  • 195.117.88.7
  • 212.160.95.1
  • 212.244.241.81
  • 195.205.208.33
  • 212.106.133.133
  • 195.116.72.5
  • 213.25.175.3
  • 195.117.99.98
  • 213.25.111.2

Blebla.D or J

Blebla.D (according to most antivirus products) or Blebla.J (according to its creator), comes from Malaysia and was coded by an Al-Qaeda sympathiser going by the names Melhacker and Vladimor Chamlkovic. In addition to this, he claimed responsibility for the Nedal and Atak worms (or some variants of them) and claimed he would release a "megaworm" named "Scezda", which would combine "the worst of" the Nimda, Klez, and SirCam worms if the US invaded Iraq. This claim was met with some scepticism and never materialized.

Blebla.D's .exe icon appears to be a Word document, but it is in fact a portable executable file. Inside the worm body, the text "ini hanya pada" (Malay for "this just in") can be found.

This variant also propogates itself using several email servers, which are located in places as diverse as the US, Italy and Morocco. Many of its subject lines are in Malay. It also uses a trick similar to the B variant, but instead of moving files to the Recycled, it creates a folder in the root of the C: drive named Sysmel32 where it stores these files.

Effects

The worm did not maliciously delete anything, though acheived some level of prominence in the media. It can still be found in the wild in Russia (as of this writing, August 2016), though it is not very common.

Sources

Peter Szor. Symantec, W32.Blebla.Worm. 2007.02.13

Peter Ferrie. Symantec, W32.Blebla.B.Worm. 2007.02.13

Gor Nazaryan. Symantec, W32.BleBla.J.Worm. 2007.02.13

Kaspersky Labs; F-Secure Corporation. F-Secure Antivirus, BleBla. 2000.11-12

McAfee Antivirus, W32/BleBla.a@MM.

Munir Kotadia. ZDNet, New sleeper worm has political link. 2004.07.16

-. -, 'Atak' worm linked to Al-Qaeda sympathiser. 2004.07.19

Rob Rosenberger. Youtube, Vmyths vs. Melhacker. 2010.09.17

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License