Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Verona is an internet worm and was detected first in Poland. It makes use of the security vulnerability of the help system of Windows with the name "HTML Help File Code Execution". This vulnerability enables to start the program code by means of the system HTML Help. The above mentioned vulnerability occurs in Microsoft Explorer versions 4.0, 4.01, 5.0 and 5.01. A detailed description of this vulnerability can be found on the address www.microsoft.com/technet/security/bulletin/fq00-037.asp. If you have an Internet Explorer version on your system which is affected by this vulnerability you can download a patch from the address www.microsoft.com/TechNet/security/bulletin/ms00-037.asp.
This is a worm written in Delphi. Its body is compressed by means of the utility UPX. It spreads as an email message with the subject randomly chosen from the following list:
ble bla, bee
I Love You ;)
Hey you !
Matrix has you...
In the attachment of the message there are files myjuliet.chm and myromeo.exe. Files with the extension CHM contain compiled files for HTML help. The message itself is in HTML format and it contains a script. The task of the script is to start the file myjuliet.chm. After the message in which the worm arrives is opened the script is executed and the file myjuliet.chm is run. This help file activates the code of the worm itself - the file myromeo.exe. After its execution myromeo.exe sends out its copies to addresses in the address book - it does so by utilising one of the servers enabling "Relay" of the email according to the following list:
This worm is based on the worm Win32/Verona.A. Names of the attachments were changed to xjuliet.chm and xromeo.exe. The file xromeo.exe is executed in the same way as at Win32/Verona.A. It sends out its copies and in the directory C:\Windows\ the file sysrnj.exe is created which contains the worm copy. By manipulation with the system registry it creates an association of its copy in the file sysrnj.exe and file extensions from the following list:
This causes activation of the worm upon double clicking on a file with any of the abovementioned extensions. List of message subjects used by this variant for its spreading was changed:
where is my juliet ?
where is my romeo ?
last wish ???
Caution: NEW VIRUS !
List of servers which the worm can use was significantly extended:
Upon using the news server on the address 220.127.116.11 (news.tpi.pl) it sends a message to the conference alt.comp.virus. The message comes from "Romeo&Juliet" <email@example.com>.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.