Also known as BleBla and Verona, this worm uses HTML-enhanced e-mail to infect unknowing recipients automatically and can update itself via the Internet.
Forget plain-text e-mail with malicious attachments. W32.BleBla (alias MyRomeo, MyJuliet, Verona) hails from Poland and automatically executes upon preveiwing or reading the infected HTML enchanced e-mail. At present, this worm does not carry a destructive payload, however it can connect to the Internet and therefore might download a new and more dangerous payload at anytime.
How It Works
BleBla arrives as an HTML enhanced e-mail and executes upon the user previewing or opening to read the infected e-mail in MS Outlook.
Subject: Randomly chosen from a list including:
"Romeo&Juliet"
":))))))"
"hello world"
"!!??!?!?"
"subject"
"ble bla, ble"
"I Love You :)"
"sorry..."
"Hey you !"
"Matrix has you..."
"my picture"
"from shake-beer"
Body: (none)
Attached: No visible attachments are included, however the worm's HTML coding will load two files, MyRomeo.exe and MyJuliet.chm into the C:\WINDOWS\TEMP folder.
After previewing or reading the infected e-mail, a user's system will automatically be infected. The file MyRomeo.exe will search for and use all addresses found within the infected computer's Outlook address book to send copies of BleBla. The worm will then attempt to connect to one of the following IP addresses:
194.153.216.60
195.117.152.91
195.116.62.86
195.117.99.98
212.244.199.2
213.25.111.2
It is from these adddress that the worm can download upgraded components or new payloads.
