Win32.Bride.B@mm
MEDIUM
LOW
90111 bytes
(W32/Braid.B (Sophos), Bridex (F-Secure))
Symptoms
Removal instructions:
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.
Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiBride.exe tool does the following:
it detects all the known versions of Bride;
it deletes the files infected with Bride;
it kills the process from memory;
You may also need to restore the affected files.
For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
for Internet Explorer 5.0 and 5.5.
Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiBride.exe tool does the following:
You may also need to restore the affected files.
For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
for Internet Explorer 5.0 and 5.5.
Analyzed By
Bogdan Dragu BitDefender Virus Researcher
Technical Description:
This is the second version of the mass-mailer Win32.Bride.A@mm; it doesn't carry along the FunLove file infector anymore, and doesn't install itself (it won't automatically be run at Windows start-up). Its strings are no longer encrypted and on Windows NT/2000/XP the executable might not be run (its format is slightly damaged, and the NT versions make more thorough verifications of executable format compliance than the 9x versions).The worm arrives in an email message in the following format:
From: (Windows registered user name of infected user) or Help
Subject: (Windows registered organization of infected user)
Body:
Hello,
My name is donkey-virus.
I wish you a merry Christmas and happy new year.
Thank you.
Attachment: README.EXE
The attachment will still be automatically run on unpatched systems, as the virus exploits the IFRAME vulnerability. The following picture will be displayed when the virus is run:
The worm will copy itself on Desktop as Madam.exe (with Internet Explorer's icon); it will also create an email message file on Desktop (Madam.eml); when the user opens this file with Outlook/Outlook Express, the attachment will once again be executed and the user will be invited to fill-in the recipient address and send the email; the attached file (README.EXE) may not be visible (due to the malformed MIME header).
The names of the temporary files used by the worm have been changed to Madam0.tmp and Madam1.tmp.
The worm will stop services with names containing one of the substrings:
MST
MS_
S -
_NP
VIEW
IRMON
SMTPSVC
MONIKER
PROGRAM
It will also terminate processes with window names including these strings:
dbg
mon
vir
iom
anti
fire
prot
secu
view
debug
Mass-mailing: As in version A, email addresses are collected from .htm and .dbx files; the "anonymous" user on the name/domain server will also be targeted.
The From and Subject fields are taken from the registry entries:
[HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization]
(if the RegisteredOwner entry cannot be read, the text Help will appear in the From field). The sender's email address may be forged in messages that are sent by the virus.
The file's description contains the following copyright text:
Copyright (C) Madam Inc. 1981-2002
SHARE
THIS ON