the registry key:
files named WIN‹NNNN›.pif in the Windows System folder (‹NNNN› being a random number);
registy entries named ‹NNNN› under the registry keys:
on NT versions of Windows
on all versions of Windows
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiBride-EN.exe
tool does the following:
it detects all the known Win32.Bride versions;
it deletes the files infected with Win32.Bride;
it disinfects the files detected as Win32.Funlove;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
For preventing this virus to use the IFRAME
exploit apply the patch
for Internet Explorer 5.0 and 5.5.
To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.
If you are running Windows 95/98/Me you will have to apply the following patch
provided by Microsoft to stop the virus from using the Share Level Password
Bogdan Dragu BitDefender Virus Researcher
This version of Win32.Bride.A@mm was written in Visual C++. Most of its strings are encrypted and the worm brings along the Win32.FunLove.4070 file infector once again.
It arrives attached to an email message in the following format: From: ‹Registered Owner›
or: ‹forged address›
(may be the same with the recipient\'s) Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers)
or: ‹Unreadable characters›‹Registered Organization›
or: ‹Unreadable characters›Trand Microsoft Inc. Body: AVAR(Association of Anti-Virus Asia Reseachers) - Report.
Invariably, Anti-Virus Program is very foolish. Attachments: ‹random name›.TXT (12.6 KB) MUSIC_1.HTM ‹random name›.GIF (120 bytes) MUSIC_2.CEO ‹random name›.PIF
The worm exploits the IFRAME
vulnerability in order for the attached executable to be automatically launched when the message is displayed in the preview pane, and the Microsoft VM ActiveX Component vulnerability in order for the HTM file to add CEO
to the executable files extensions and the worm to be run when the user opens the attached CEO
The worm copies itself to the Windows System folder as WIN‹NNNN›.pif
being a random number) and then executes this copy with a command line parameter specifying the tick count
(number of miliseconds elapsed since system start-up). The run copy compares its own tick count with the parameter to see if it was run after less than half a second since the original copy had invoked it; otherwise (for example, when the worm is run at start-up), the following message box is displayed:
The worm will register both its original copy and the newly-dropped copy to be run at startup, by creating WIN‹NNNN›
entries under the registry keys named in the Symptoms section.
A mutex called ~~ Drone Of StarCraft~~
is used by the virus to avoid multiple execution of some code sequences.
The worm will attempt to stop any services or processes which include one of the substrings: view debu scan mon vir iom ice anti fir prot secu dbg avk pcc spy
but don't include any of these: microsoft ms _np r n cicer irmon smtpsvc moniker office program explorewclass
A function that terminates these services and processes is called aprox. every 2 seconds.
A version of Win32.FunLove.4070 is dropped to a temporary file in the Windows System folder and executed; this virus will start infecting .exe
executables on the local drives and network shares. This original FunLove text Fun Loving Criminal
now reads AAVAR 2002 in Seoul
and the file infector is dropped in a file named AAVAR.PIF
(instead of flcss.exe
The worm uses a function that will recursively scan folders on the fixed drives. The contents of folders with names containing: antivirus cillin nlab vacc
will be deleted (however tests have shown that the virus manages to delete most of the files on the disk, due to the buggy handling of a flag variable accross the recursive calls to the function). Target addresses for mass-mailing will be gathered from .dbx
files; addresses containing @microsoft
will be avoided. A list of target addresses will be maintained in the registry key: [HKCR\Software\Microsoft\DataFactory]
The and variables (which are sometimes used for the From and Subject fields in sent emails) are read from the registry key:
If this is not possible, they are given the default values AntiVirus and Trand Microsoft Inc..
During the execution, the worm will attempt to download data from http://www.symantec.com/ (to temporary files in the Windows System folder, that will later be discarded) for two purposes: first, to see if there is an Internet connection available, and second, to flood the server.