Content

W32/Braid.b@MM

Type
Virus
SubType
E-mail worm
Discovery Date
11/18/2002
Length
90,111 bytes
Minimum DAT
4234 (11/20/2002)
Updated DAT
4234 (11/20/2002)
Minimum Engine
5.1.00
Description Added
11/18/2002
Description Modified
11/18/2002 8:49 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This virus is identified as a variant of W32/Braid@MM with the 4232 and 4233 DAT files. Exact detection is included in the 4234 DAT files.

This virus written in Visual Basic 6.0 contains its own SMTP engine to mail itself to email addresses found on the local system. To conceal the identity of the sender, it spoofs the 'From:' address of outgoing messages. Furthermore, it exploits an Internet Explorer vulnerability to run itself when an infected message is viewed. It shuts down various processes related to AV/security products.

NB: in testing, this virus was only observed to run on 9x machines. It would not run on NT/2k systems (due to a slight file truncation).

The worm arrives in an email containing the following information:

Subject: company
Attachment: README.EXE
Body:

Hello,

My name is donkey-virus.
I wish you a merry Christmas and happy new year.

Thank you.

The virus exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). This will result in the virus getting executed from simply viewing the email message with a vulnerable Outlook client. Gateway scanners will detect samples using this exploit as Exploit-MIME.gen or Exploit-MIME.gen.exe with the 4213 DATs (or higher).

Unlike the previous variant (see W32/Braid.a@MM), no other files are dropped on the victim machine.

Symptoms

Presence of the following files:

  • %Windows Desktop%\MADAM.EML
  • %Windows Desktop%\MADAM.EXE

Method of Infection

NB: In testing, the virus did not execute successfully on NT/2k systems. It did successfully run on 9x machines.

When run the following image is displayed:

[10 Ways to Attract a Man]

The virus searches for email addresses in .HTM and .DBX files on the victim machine, mailing itself to those found (message characteristics above). System settings (DNS server and domain name) are extracted from the Windows Registry.

Any processes whose names contain strings predefined within the virus are killed. The strings are selected to target AV and security products.

The virus is also buggy, giving a run-time error after mailing is complete.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This virus is identified as a variant of W32/Braid@MM with the 4232 and 4233 DAT files. Exact detection is included in the 4234 DAT files.

This virus written in Visual Basic 6.0 contains its own SMTP engine to mail itself to email addresses found on the local system. To conceal the identity of the sender, it spoofs the 'From:' address of outgoing messages. Furthermore, it exploits an Internet Explorer vulnerability to run itself when an infected message is viewed. It shuts down various processes related to AV/security products.

NB: in testing, this virus was only observed to run on 9x machines. It would not run on NT/2k systems (due to a slight file truncation).

The worm arrives in an email containing the following information:

Subject: company
Attachment: README.EXE
Body:

Hello,

My name is donkey-virus.
I wish you a merry Christmas and happy new year.

Thank you.

The virus exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2). This will result in the virus getting executed from simply viewing the email message with a vulnerable Outlook client. Gateway scanners will detect samples using this exploit as Exploit-MIME.gen or Exploit-MIME.gen.exe with the 4213 DATs (or higher).

Unlike the previous variant (see W32/Braid.a@MM), no other files are dropped on the victim machine.

Symptoms

Symptoms -

Presence of the following files:

  • %Windows Desktop%\MADAM.EML
  • %Windows Desktop%\MADAM.EXE

Method of Infection

Method of Infection -

NB: In testing, the virus did not execute successfully on NT/2k systems. It did successfully run on 9x machines.

When run the following image is displayed:

[10 Ways to Attract a Man]

The virus searches for email addresses in .HTM and .DBX files on the victim machine, mailing itself to those found (message characteristics above). System settings (DNS server and domain name) are extracted from the Windows Registry.

Any processes whose names contain strings predefined within the virus are killed. The strings are selected to target AV and security products.

The virus is also buggy, giving a run-time error after mailing is complete.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A