Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Verona

Win32/Verona is an internet worm and was detected first in Poland.  It makes use of  the security vulnerability of the help system of Windows with the name "HTML Help File Code Execution".  This vulnerability enables to start the program code by means of the system HTML Help.  The above mentioned vulnerability occurs in Microsoft Explorer versions 4.0, 4.01, 5.0 and 5.01.  A detailed description of this vulnerability can be found on the address www.microsoft.com/technet/security/bulletin/fq00-037.asp.  If you have an Internet Explorer version on your system which is affected by  this vulnerability you can download a patch from the address www.microsoft.com/TechNet/security/bulletin/ms00-037.asp.

Win32/Verona.A

This is a worm written in Delphi.  Its body is compressed by means of the utility UPX.  It spreads as an email message with the subject randomly chosen from the following list:

Romeo&Juliet
:))))))
hello world
!!??!?!?
subject
ble bla, bee
I Love You ;)
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer

In the attachment of the message there are files myjuliet.chm and myromeo.exe.  Files with the extension CHM contain compiled files for HTML help.  The message itself is in HTML format and it contains a script. The task of the script is to start the file myjuliet.chm.  After the message in which the worm arrives is opened the script is executed and the file myjuliet.chm is run.  This help file activates the code of the worm itself - the file myromeo.exe.  After its execution myromeo.exe sends out its copies to addresses in the address book - it does so by utilising one of the servers enabling "Relay" of the email according to the following list:

212.244.199.2
195.117.152.91
195.116.62.86
194.153.216.60
195.117.99.98
213.25.111.2

Win32/Verona.B

This worm is based on the worm Win32/Verona.A.  Names of the attachments were changed to xjuliet.chm and xromeo.exe.  The file xromeo.exe is executed in the same way as at Win32/Verona.A.  It sends out its copies and in the directory C:\Windows\ the file sysrnj.exe is created which contains the worm copy.  By manipulation with the system registry it creates an association of its copy in the file sysrnj.exe and file extensions from the following list:

exe
jpg
jpeg
jpe
bmp
gif
avi
mpg
mpeg
wmf
wma
wmw
mp3
mp2
vqf
doc
xls
zip
rar
lha
arj
reg

This causes activation of the worm  upon double clicking on a file with any of the abovementioned extensions.  List of message subjects used by this variant for its spreading was changed:

Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...
!!!
newborn
merry christmas!
surprise !
Caution: NEW VIRUS !
scandal !

List of servers which the worm can use was significantly extended:

195.117.117.6
212.244.197.164
195.205.96.185
195.116.104.14
195.117.3.111
195.116.221.65
212.244.67.20
194.181.138.141
195.205.121.183
195.117.88.7
212.160.95.1
212.244.241.81
195.205.208.33
212.106.133.133
195.116.72.5
213.25.175.3
195.117.99.98
213.25.111.2

Upon using the news server on the address 213.25.200.9 (news.tpi.pl) it sends a message to the conference alt.comp.virus.  The message comes from "Romeo&Juliet" <romeo@juliet.v>.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.