My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bride.A@mm

MEDIUM
MEDIUM
118787 bytes
(W32/Braid.A (Sophos), Bridex (F-Secure))

Symptoms

  • file regedit.exe in the Windows System folder (not in the Windows folder !);

  • file Explorer.exe on the Desktop (with an icon of Internet Explorer, not of Windows Explorer !);

  • email message file Help.eml on the Desktop;

  • file bride.exe in the Windows System folder;

  • the registry entry [HKCU \Software\Microsoft\Windows\CurrentVersion\Run\regedit].
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender AntiBride.exe tool does the following:
  • it detects all the known versions of Bride;

  • it deletes the files infected with Bride;

  • it disinfects the files detected as FunLove;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

    Analyzed By

    Bogdan Dragu BitDefender Virus Researcher

    Technical Description:

    This is a mass-mailing worm written in Visual Basic, which carries along the file infector Win32.FunLove.4070. The FunLove body and most of the character strings used by the virus are encrypted, to make reverse engineering more difficult.

    The worm arrives in an email message in the following format:

    From: (Windows registered user name of infected user)

    Subject: (Windows registered organization of infected user)

    Body:
    Hello,

    Product Name: (Windows version)
    Product Id: (Windows product ID)
    Product Key: (Windows product key)

    Process List: (list of names and descriptions of running security processes)

    Thank you.

    Attachment: README.EXE




    The virus exploits the IFRAME vulnerability in Internet Explorer 5.xx; the attachment (README.EXE) will automatically be executed when the message is selected in the preview pane of Outlook/Outlook Express (on unpatched systems); more information and a patch for this exploit are available in the Microsoft Security Bulletin (MS01-020).
     
    The virus will copy itself as regedit.exe in the Windows System folder and will create the registry entry:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\regedit]

    in order for Windows to run the worm at every start-up.

    The worm will also copy itself on the Desktop as Explorer.exe(with Internet Explorer's icon). An email message file (Help.eml) containing the worm will be created (also on the Desktop); when the user opens it, the attachment will once again automatically be executed (due to the IFRAME exploit):



    Another two copies of the worm (one of them in Base64 format) will be created in temporary files called Brade0.tmp and Brade1.tmp.

    The worm will stop services with names containing one of the substrings:

    MST
    MS_
    S -
    _NP
    VIEW
    IRMON
    SMTPSVC
    MONIKER
    PROGRAM

    It will also terminate processes with names including these strings:

    dbg
    mon
    vir
    iom
    anti
    fire
    prot
    secu
    view
    debug

    Names and descriptions of these processes will be included in the body of email messages, under the title Process List. The From and Subject fields of messages are filled in with values read from the entries:

    RegisteredOwner
    RegisteredOrganization

    under the registry key:

    [HKLM\Software\Microsoft\Windows\CurrentVersion]

    The messages will also contain information about the running Windows version, id and key, taken from the registry entries:

    ProductName
    ProductId
    ProductKey

    Email messages containing the worm will be sent to addresses gathered by scanning .htm and .dbx files, and also to the anonymous user on the name/domain server.

    The worm will overwrite the beginning of msconfig.exe (in the Windows System folder) with a sequence of code that drops a version of the file infector Win32.FunLove.4070 in bride.exe; this virus contains the following text: DonkeyoVaccineiEraser instead of the original Fun Loving Criminal. This dangerous virus will proceed to infecting executable files on the local system and on network shared folders.

    Under certain conditions, the worm will try to open the following web-pages:

    HttP://Www.hOtmAIl.coM/
    hTtP://wWw.sEX.cOm/