My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bride.B@mm

MEDIUM
LOW
90111 bytes
(W32/Braid.B (Sophos), Bridex (F-Secure))

Symptoms

 

  • file Madam.exe on Desktop with an icon of Internet Explorer;
  •  

     


  • e-mail message file Madam.eml on Desktop.
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender AntiBride.exe tool does the following:

     

  • it detects all the known versions of Bride;
  •  

     


  • it deletes the files infected with Bride;
  •  

     


  • it kills the process from memory;


  • You may also need to restore the affected files.

    For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    Analyzed By

    Bogdan Dragu BitDefender Virus Researcher

    Technical Description:

    This is the second version of the mass-mailer Win32.Bride.A@mm; it doesn't carry along the FunLove file infector anymore, and doesn't install itself (it won't automatically be run at Windows start-up). Its strings are no longer encrypted and on Windows NT/2000/XP the executable might not be run (its format is slightly damaged, and the NT versions make more thorough verifications of executable format compliance than the 9x versions).

    The worm arrives in an email message in the following format:

    From: (Windows registered user name of infected user) or Help

    Subject: (Windows registered organization of infected user)

    Body:

    Hello,

    My name is donkey-virus.
    I wish you a merry Christmas and happy new year.

    Thank you.


    Attachment: README.EXE



    The attachment will still be automatically run on unpatched systems, as the virus exploits the IFRAME vulnerability. A stock image will be displayed when the virus is run.


    The worm will copy itself on Desktop as Madam.exe (with Internet Explorer's icon); it will also create an email message file on Desktop (Madam.eml); when the user opens this file with Outlook/Outlook Express, the attachment will once again be executed and the user will be invited to fill-in the recipient address and send the email; the attached file (README.EXE) may not be visible (due to the malformed MIME header).



    The names of the temporary files used by the worm have been changed to Madam0.tmp and Madam1.tmp.

    The worm will stop services with names containing one of the substrings:

    MST
    MS_
    S -
    _NP
    VIEW
    IRMON
    SMTPSVC
    MONIKER
    PROGRAM

    It will also terminate processes with window names including these strings:

    dbg
    mon
    vir
    iom
    anti
    fire
    prot
    secu
    view
    debug

    Mass-mailing: As in version A, email addresses are collected from .htm and .dbx files; the "anonymous" user on the name/domain server will also be targeted.

    The From and Subject fields are taken from the registry entries:

    [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOwner]
    [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOrganization]

    (if the RegisteredOwner entry cannot be read, the text Help will appear in the From field). The sender's email address may be forged in messages that are sent by the virus.

    The file's description contains the following copyright text:

    Copyright (C) Madam Inc. 1981-2002