file Madam.exe on Desktop with an icon of Internet Explorer;
e-mail message file Madam.eml on Desktop.
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiBride.exe
tool does the following:
it detects all the known versions of Bride;
it deletes the files infected with Bride;
it kills the process from memory;
You may also need to restore the affected files.
For preventing this virus to use the IFRAME
exploit apply the patch
for Internet Explorer 5.0 and 5.5.
Bogdan Dragu BitDefender Virus Researcher
This is the second version of the mass-mailer Win32.Bride.A@mm; it doesn't carry along the FunLove
file infector anymore, and doesn't install itself (it won't automatically be run at Windows start-up). Its strings are no longer encrypted and on Windows NT/2000/XP the executable might not be run (its format is slightly damaged, and the NT versions make more thorough verifications of executable format compliance than the 9x versions).
The worm arrives in an email message in the following format: From:
(Windows registered user name of infected user) or Help Subject:
(Windows registered organization of infected user) Body: Hello,
My name is donkey-virus.
I wish you a merry Christmas and happy new year.
Thank you. Attachment: README.EXE
The attachment will still be automatically run on unpatched systems, as the virus exploits the IFRAME
vulnerability. The following picture will be displayed when the virus is run:
The worm will copy itself on Desktop as Madam.exe
(with Internet Explorer's icon); it will also create an email message file on Desktop (Madam.eml
); when the user opens this file with Outlook/Outlook Express, the attachment will once again be executed and the user will be invited to fill-in the recipient address and send the email; the attached file (README.EXE
) may not be visible (due to the malformed MIME header).
The names of the temporary files used by the worm have been changed to Madam0.tmp
The worm will stop services with names containing one of the substrings: MST MS_ S - _NP VIEW IRMON SMTPSVC MONIKER PROGRAM
It will also terminate processes with window names including these strings: dbg mon vir iom anti fire prot secu view debug
Mass-mailing: As in version A, email addresses are collected from .htm
files; the "anonymous" user on the name/domain server will also be targeted.
fields are taken from the registry entries: [HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner] [HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization]
(if the RegisteredOwner entry cannot be read, the text Help
will appear in the From
field). The sender's email address may be forged in messages that are sent by the virus.
The file's description contains the following copyright text: Copyright (C) Madam Inc. 1981-2002