GEN:SID 1:725
Message Virus - Possible MyRomeo Worm
Summary This event is generated when worm activity is detected. More specifcally
this event indicates possible "My Romeo" propogation.
Impact Serious. The victim host may be infected with a worm.
Detailed Information This worm propogates via electronic mail and exploits a known
vulnerability in the way that versions of Microsoft Outlook and Internet
Explorer handle trusted HTML pages. The worm is launched via a compiled
HTML file (.chm) which is used by Microsoft WIndows Help.

The executable part of the worm is called from within the trusted
compiled HTML file. The worm attempts to propagate using hard coded
addresses of SMTP servers.

This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A
Affected Systems Microsoft Windows 9x
    Microsoft Windows 2000
Attack Scenarios Symantec Anti-Virus center states that the worm arrives as an email
message that has an HTML body and two attachments named Myjuliet.chm
and Myromeo.exe. The subject of the email is selected at random from
the following set:

Romeo&Juliet
hello world
subject
ble bla, bee
I Love You ;)
sorry...
Hey you !
Matrix has you...
my picture
from shake-beer
Ease of Attack Simple. This is worm activity.
Corrective Action Apply the appropriate vendor supplied patches and service packs.

Use Anti-Virus software to detect and delete virus laden email.

This worm makes changes to the system registry, removal of the affected
registry keys should be done using an appropriate virus removal tool or
by an experienced Windows administrator.
Additional References McAfee
http://vil.nai.com/vil/content/v_98894.htm

Symantec Security Response
http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html