Suddenly my son had some problems on his PC.
We scanned his PC with Mc Afee and Norton and we found
189 infected files with Subseven, subseven plugins, JS Seeker and W32 Blebla B worm.
Subseven and JS Seeker are Trojans
W32 Blebla B worm is a update of W32 Blebla worm. It normally arrives in an email.
My son didn’t opened any email, he downloaded a game exe with a program named Kazaa
and after deleting the game, the problems were there.
W32.Blebla.B.Worm
It arrives as an email message that has a HTML body and 2 attachments.
When you read the message, the 2 attachments are AUTOMATICALLY saved and LAUNCHED.
W32 Blebla B worm
- when a file is opened, the worm will move it to the C:\ recycled under a different name
and replace it the original file with itself by adding .exe to it.
Example: mygame.zip become mygame.zip.exe and this file is now the worm.
- starting a program after quarantine the sysrnj.exe, you get a popup window with the
message:
- "Windows cannot find sysrnj.exe.
This program is needed for opening files of type …."
- The virus has also its own email engine and send messages to several addresses with
Microsoft Outlook.
- runs only under Windows 95/98/2000
- the worm also change some registry keys
Removal instructions, how we did it.
We run antivirus program Norton and quarantined all the 189 files.
We didn’t look for any infected files, to many, hopeless.
After this when we tried to open a program we get always the message
"Windows cannot find sysrnj.exe.
This program is needed for opening files of type …."
- Stop the computer. Shut down and power must turn off at least 30 sec.
(remove worm from memory, no reset )
- start computer
(win 95 press F8 when you see Windows 95,
win 98 during startup, hold down the Ctrl key)
- Windows startup menu appears during start up
- Press the number to start in Safe Mode ( 3 ) and enter
- Go to MS-DOS prompt
- Type copy regedit.exe regedit.com and enter
( C:\windows>copy regedit.exe regedit.com )
1 file (s) copied
- type start regedit.com enter
- Go to HKEY_CLASSES_ROOT\.exe
( .exe and not exefile father down in the list )
- In the right side of the window double click on the " Default" or
"Standard"
- An edit dialog box appears
- Delete or overwrite the value with exefile and click OK
- Go to HKEY_CLASSES_ROOT\rnjfile
(more down in the list, rnjfile RNJFILE )
- Delete this rnjfile
- Go to the edit menu and click find
- in the find box enter rnjfile
( now all the infected keys are showed one by one, change the key and press F3 to go to
the next one, but first begin with the first one, go to 16 )
All this keys are in HKEY_LOCAL_MACHINE_SOFTWARE_CLASSES but you go there automatically,
view left in window screen.
- .arj default double click and enter WinZip then F3
- .avi AVIFile and F3
- .bmp Paint.Picture
- .doc Word.Document.8 default value
- .gif giffile
- .jpeg jpegfile
- .jpe jpegfile ??
- .jpg jpegfile
- .LHA write nothing here, leave it empty
- .mp2 mpegfile
- .mp3 mp3file
- .mpeg mpegfile
- .mpg mpegfile
- .rar ….
- .reg regfile
- .vqf leave it empty
- .wma Winamp.File
- .wmf
- .wmv videofile
- .xls Excel.Sheet.8 default value
- .zip WinZip
- RESTART computer
Optional check:
look for files like
xromeo.exe and xromeo*.*
xjuliet.chm and xjuliet*.*
001.txt
002.txt
Sysrnj.exe and sysrnj*.*
Is a folder named HI found, delete it.
If the worm is run more then once the files have different names like xromeo.lgc,
xromeo(1).exe, xjuliet(2).chm etc….
Delete all this files
That’s it.
More info here at Symantec
W32.Blebla.B.Worm
