file regedit.exe in the Windows System folder (not in the Windows folder !);
file Explorer.exe on the Desktop (with an icon of Internet Explorer, not of Windows Explorer !);
email message file Help.eml on the Desktop;
file bride.exe in the Windows System folder;
the registry entry [HKCU \Software\Microsoft\Windows\CurrentVersion\Run\regedit].
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiBride.exe
tool does the following:
it detects all the known versions of Bride;
it deletes the files infected with Bride;
it disinfects the files detected as FunLove;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
For preventing this virus to use the IFRAME
exploit apply the patch
for Internet Explorer 5.0 and 5.5.
To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.
If you are running Windows 95/98/Me you will have to apply the following patch
provided by Microsoft to stop the virus from using the Share Level Password
Bogdan Dragu BitDefender Virus Researcher
This is a mass-mailing worm written in Visual Basic, which carries along the file infector Win32.FunLove.4070. The FunLove body and most of the character strings used by the virus are encrypted, to make reverse engineering more difficult.
The worm arrives in an email message in the following format: From:
(Windows registered user name of infected user) Subject:
(Windows registered organization of infected user) Body:
Hello, Product Name:
(Windows version) Product Id:
(Windows product ID) Product Key:
(Windows product key) Process List:
(list of names and descriptions of running security processes) Thank you. Attachment: README.EXE
The virus exploits the IFRAME
vulnerability in Internet Explorer 5.xx; the attachment (README.EXE)
will automatically be executed when the message is selected in the preview pane of Outlook/Outlook Express (on unpatched systems); more information and a patch for this exploit are available in the Microsoft Security Bulletin (MS01-020)
The virus will copy itself as regedit.exe
in the Windows System folder and will create the registry entry: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run\regedit]
in order for Windows to run the worm at every start-up.
The worm will also copy itself on the Desktop as Explorer.exe
(with Internet Explorer's icon). An email message file (Help.eml
) containing the worm will be created (also on the Desktop); when the user opens it, the attachment will once again automatically be executed (due to the IFRAME exploit):
Another two copies of the worm (one of them in Base64 format) will be created in temporary files called Brade0.tmp
The worm will stop services with names containing one of the substrings: MST MS_ S - _NP VIEW IRMON SMTPSVC MONIKER PROGRAM
It will also terminate processes with names including these strings: dbg mon vir iom anti fire prot secu view debug
Names and descriptions of these processes will be included in the body of email messages, under the title Process List
. The From
fields of messages are filled in with values read from the entries: RegisteredOwner RegisteredOrganization
under the registry key: [HKLM\Software\Microsoft\Windows\CurrentVersion]
The messages will also contain information about the running Windows version, id and key, taken from the registry entries: ProductName ProductId ProductKey
Email messages containing the worm will be sent to addresses gathered by scanning .htm
files, and also to the anonymous
user on the name/domain server.
The worm will overwrite the beginning of msconfig.exe
(in the Windows System folder) with a sequence of code that drops a version of the file infector Win32.FunLove.4070 in bride.exe
; this virus contains the following text: DonkeyoVaccineiEraser
instead of the original Fun Loving Criminal
. This dangerous virus will proceed to infecting executable files on the local system and on network shared folders.
Under certain conditions, the worm will try to open the following web-pages: HttP://Www.hOtmAIl.coM/ hTtP://wWw.sEX.cOm/