File: 728.txt

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (91 lines) | stat: -rw-r--r-- 2,086 bytes parent folder | download | duplicates (8) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
Rule:

--
Sid:
728


--
Summary:
This event is generated when worm activity is detected. More specifcally
this event indicates possible "My Romeo" propogation.

--
Impact:
Serious. The victim host may be infected with a worm.

--
Detailed Information:
This worm propogates via electronic mail and exploits a known
vulnerability in the way that versions of Microsoft Outlook and Internet
Explorer handle trusted HTML pages. The worm is launched via a compiled
HTML file (.chm) which is used by Microsoft WIndows Help.

The executable part of the worm is called from within the trusted
compiled HTML file. The worm attempts to propagate using hard coded
addresses of SMTP servers.

This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A

--
Affected Systems:
	Microsoft Windows 9x
	Microsoft Windows 2000

--
Attack Scenarios:
Symantec Anti-Virus center states that the worm arrives as an email
message that has an HTML body and two attachments named Myjuliet.chm
and Myromeo.exe. The subject of the email is selected at random from
the following set:

Romeo&Juliet
hello world
subject
ble bla, bee
I Love You ;)
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer

--
Ease of Attack:
Simple. This is worm activity.

--
False Positives:
Legitimate electronic mail containing the known subject lines used by
MyRomeo may cause this rule to generate an event.

--
False Negatives:
None Known

--
Corrective Action:
Apply the appropriate vendor supplied patches and service packs.

Use Anti-Virus software to detect and delete virus laden email.

This worm makes changes to the system registry, removal of the affected
registry keys should be done using an appropriate virus removal tool or
by an experienced Windows administrator.

--
Contributors:
Original Rule Writer Max Vision <vision@whitehats.com>
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

McAfee
http://vil.nai.com/vil/content/v_98894.htm

Symantec Security Response
http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html

--