Content

W32/Braid.a@MM

Type
Virus
SubType
File Infector
Discovery Date
11/04/2002
Length
114,687 bytes (README.EXE)
4,608 (BRIDE.EXE)
Minimum DAT
4232 (11/06/2002)
Updated DAT
4234 (11/20/2002)
Minimum Engine
5.1.00
Description Added
11/04/2002
Description Modified
11/18/2002 4:51 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

Detection for W32/Braid@MM was included in the 4232 DAT files. However, the README.TXT file does not accurately depict this.

--- Update November 4, 2002 ---

The risk assessment of this threat was updated to Low-Profiled due to media attention.

This mass-mailing virus uses its own SMTP engine to send itself to addresses found on the local system. It forges the from address to conceal the true senders address and exploits an Internet Explorer vulnerability to allow itself to be executed upon viewing an infected message. It also drops a file-infecting virus that can spread over network shares.

The worm arrives in an email message containing the following information:

From: Sender's Windows registered user name
Subject: Sender's Windows registered company name
Body: Hello,

Product Name: Microsoft Windows %version of Windows on the infected sender's system%
Product Id: %Windows ID on the infected sender's system%
Product Key: %Windows key on the infected sender's system%

Process List:
%processes running on the infected sender's system%

Thank you.

Attachment: README.EXE

The virus exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). This will result in the virus getting executed from simply viewing the email message with a vulnerable Outlook client. Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher).

When run, the virus copies itself to the WINDOWS SYSTEM (%SysDir%) directory as REGEDIT.EXE (Note: There is a valid REGEDIT.EXE in the WINDOWS directory) and creates a registry run key to load itself at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\regedit=C:\Windows\System\regedit.exe

The virus drops a file infecting virus in the WINDOWS SYSTEM folder, BRIDE.EXE and MSCONFIG.EXE. These files are detected as W32/Funlove.dr using the 4132 (or newer) dat files. When the dropper files are run, they infects all 32 bit PE (Portable Executable) .EXE, .OCX, and .SCR files on the system with a modified version of the W32/Funlove virus. These files are detected as W32/FunLove.gen with the 4132 DATs (or newer) and current engine.

Symptoms

Presence of the following files:

  • HELP.EML
  • %Desktop folder%\Explorer.exe
  • %SysDir%\Bride.exe
  • %SysDir%\Regedit.exe (Note: There is a valid Regedit.exe in the WINDOWS directory
The worm poses as an anti virus program when viewing its properties:

anti virus world system Trend Microsoft Inc

Method of Infection

This worm arrives in an email message. Once run, the virus drops a PE file infector and infects .EXE, .OCX, and .SCR files.

The worm uses addresses found in .DBX and .HTM files found on the local system to send itself to. This address is used in both the TO: and FROM: field as well, thus forging, or spoofing, the from address. The virus can terminate security software processes.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-worm.Bradex (AVP)
  • I-Worm.Bridex (AVP)
  • PE_BRID.A (Trend)
  • W32/Braid@MM
  • W32/Brid.A@MM
  • Win32/Brid.A@MM

Characteristics

Characteristics -

Detection for W32/Braid@MM was included in the 4232 DAT files. However, the README.TXT file does not accurately depict this.

--- Update November 4, 2002 ---

The risk assessment of this threat was updated to Low-Profiled due to media attention.

This mass-mailing virus uses its own SMTP engine to send itself to addresses found on the local system. It forges the from address to conceal the true senders address and exploits an Internet Explorer vulnerability to allow itself to be executed upon viewing an infected message. It also drops a file-infecting virus that can spread over network shares.

The worm arrives in an email message containing the following information:

From: Sender's Windows registered user name
Subject: Sender's Windows registered company name
Body: Hello,

Product Name: Microsoft Windows %version of Windows on the infected sender's system%
Product Id: %Windows ID on the infected sender's system%
Product Key: %Windows key on the infected sender's system%

Process List:
%processes running on the infected sender's system%

Thank you.

Attachment: README.EXE

The virus exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). This will result in the virus getting executed from simply viewing the email message with a vulnerable Outlook client. Gateway scanners will detect samples using this exploit as Exploit-MIME.gen. or Exploit-MIME.gen.exe with the 4213 DATs (or higher).

When run, the virus copies itself to the WINDOWS SYSTEM (%SysDir%) directory as REGEDIT.EXE (Note: There is a valid REGEDIT.EXE in the WINDOWS directory) and creates a registry run key to load itself at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\regedit=C:\Windows\System\regedit.exe

The virus drops a file infecting virus in the WINDOWS SYSTEM folder, BRIDE.EXE and MSCONFIG.EXE. These files are detected as W32/Funlove.dr using the 4132 (or newer) dat files. When the dropper files are run, they infects all 32 bit PE (Portable Executable) .EXE, .OCX, and .SCR files on the system with a modified version of the W32/Funlove virus. These files are detected as W32/FunLove.gen with the 4132 DATs (or newer) and current engine.

Symptoms

Symptoms -

Presence of the following files:

  • HELP.EML
  • %Desktop folder%\Explorer.exe
  • %SysDir%\Bride.exe
  • %SysDir%\Regedit.exe (Note: There is a valid Regedit.exe in the WINDOWS directory
The worm poses as an anti virus program when viewing its properties:

anti virus world system Trend Microsoft Inc

Method of Infection

Method of Infection -

This worm arrives in an email message. Once run, the virus drops a PE file infector and infects .EXE, .OCX, and .SCR files.

The worm uses addresses found in .DBX and .HTM files found on the local system to send itself to. This address is used in both the TO: and FROM: field as well, thus forging, or spoofing, the from address. The virus can terminate security software processes.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A