Pantek Library - Expert Linux and Open Source Services

Hosting Provided By

Rule:
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "filename="; within: 15; content: "myjuliet.chm "; nocas
e; flow:from_server,established; sid:724; classtype:virus; rev:3;)
--
Sid:
724 myjuliet.chm

Other Related sigs:
723 myromeo.exe
725 ble bla
726 I Love You
727 Sorry... Hey you !
728 my picture from shake-beer
735 Matrix has you...

--
Summary:
My Romeo worm. Also Known As: Romeo and Juliet, W32/Verona, Troj Blebla.A

--
Impact:
This is an Internet worm which implements an I-Frame exploit in HTML in order to run and propagate. This Internet worm was written i
n Delphi and compressed with UPX. Propegates via email.

--
Detailed Information:

This worm functions only under Windows 95, Windows 98, and Windows 2000 systems that have not been updated with the latest vulnerabi
lity updates from Microsoft. No other systems are affected. This is a windows exceutable that makes changes to the system
registry.
It does not run under Windows NT. The HTML component saves the attachments in the \Windows\Temp folder, and then executes the Myjuli
et.chm (compiled HTML) file. That file then launches the Myromeo.exe file, which is the mass-mailer component of the worm. When exec
uted, the Myromeo.exe file looks for the running copy of HH.exe (that is associated with .chm files) and tries to stop it in order t
o hide its activity. In the meantime, a task with Romeo&Juliet as its name can be seen in the task list.

Next, the virus queries the Microsoft Outlook address book, and tries to propagate itself using six different mail servers that are
located in Poland. Several of these servers are not currently available, and others are protected from nonauthenticated email traffi
c. However the worm might be able to spread inside Poland by the users of these particular mail servers:
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
213.25.111.2 memo.gate.pl
194.153.216.60 mail.getin.pl
195.117.152.91 dns.inter-grafix.com.pl
212.244.199.2 gate.paranormix.net.pl
195.116.62.86 madmax.quadsoft.com
195.117.99.98 promail.pl

--
Attack Scenarios:

The worm arrives as an email message that has an HTML body and two attachments named Myjuliet.chm and Myromeo.exe. The subject of th
e email is selected randomly from the following set:

Romeo&Juliet
hello world
subject
ble bla, bee
I Love You ;)
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer

--
Ease of Attack:
Make sure virus dat files are updated.
--
False Positives:
Can trigger if any email contains the above list tends to be very noisy.

--
False Negatives:
None Known

--
Corrective Action:

Make sure virus software is up to date.
--
Contributors:
Original Rule Writer Max Vision
Sourcefire Research Team
Nigel Houghton

--
Additional References:

McAfee
http://vil.nai.com/vil/content/v_98894.htm

Symantec Security Response
http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html