Rule:

--
Sid:
724

--
Summary:
This event is generated when My Romeo worm activity is detected. (Also 
Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A)

--
Impact:
This is an Internet worm which implements an I-Frame exploit in HTML in 
order to run and propagate. This Internet worm was written in Delphi and
compressed with UPX.  Propegates via email.

--
Detailed Information:

This worm functions only under Windows 95, Windows 98, and Windows 2000 
systems that have not been updated with the latest vulnerability updates
from Microsoft.  No other systems are affected. This is a windows 
exceutable that makes changes to the system registry.

It does not run under Windows NT. The HTML component saves the 
attachments in the \Windows\Temp folder, and then executes the 
Myjuliet.chm (compiled HTML) file. That file then launches the 
Myromeo.exe file, which is the mass-mailer component of the worm. When 
executed, the Myromeo.exe file looks for the running copy of HH.exe 
(that is associated with .chm files) and tries to stop it in order to 
hide its activity. In the meantime, a task with Romeo&Juliet as its name
can be seen in the task list.

Next, the virus queries the Microsoft Outlook address book, and tries to
propagate itself using six different mail servers that are located in 
Poland. Several of these servers are not currently available, and others
are protected from nonauthenticated email traffic. However the worm 
might be able to spread inside Poland by the users of these particular 
mail servers:
	213.25.111.2 memo.gate.pl
	194.153.216.60 mail.getin.pl
	195.117.152.91 dns.inter-grafix.com.pl
	212.244.199.2 gate.paranormix.net.pl
	195.116.62.86 madmax.quadsoft.com
	195.117.99.98 promail.pl

Other related rules:
	723 myromeo.exe
	725 ble bla
	726 I Love You
	727 Sorry... Hey you !
	728 my picture from shake-beer
	735 Matrix has you...

--
Attack Scenarios:
The worm arrives as an email message that has an HTML body and two 
attachments named Myjuliet.chm and Myromeo.exe. The subject of the email
is selected randomly from the following set:

Romeo&Juliet
hello world
subject
ble bla, bee
I Love You ;)
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer

--
Ease of Attack:
Make sure virus dat files are updated.

--
False Positives:
Can trigger if any email contains the above list tends to be very noisy.

--
False Negatives:
None Known

--
Corrective Action:
Make sure virus software is up to date.

--
Contributors:
Original Rule Writer Max Vision <vision@whitehats.com>
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Neal Timm <nealtimm@sbcglobal.net>

--
Additional References:

McAfee
http://vil.nai.com/vil/content/v_98894.htm

Symantec Security Response
http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html
