My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bride.C@mm

MEDIUM
MEDIUM
91 KB
(I-Worm.Winevar (F-Secure, Kaspersky), W32.Korvar (McAfee))

Symptoms

  • the registry key:

    [HKCR\Software\Microsoft\DataFactory]


  • files named WIN‹NNNN›.pif in the Windows System folder (‹NNNN› being a random number);

  • registy entries named ‹NNNN› under the registry keys:

    on NT versions of Windows
    [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]

    on all versions of Windows
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender AntiBride-EN.exe tool does the following:
  • it detects all the known Win32.Bride versions;

  • it deletes the files infected with Win32.Bride;

  • it disinfects the files detected as Win32.Funlove;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    For preventing this virus to use the IFRAME exploit apply the patch Microsoft released
    for Internet Explorer 5.0 and 5.5.

    To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the Share Level Password vulnerability.

    Analyzed By

    Bogdan Dragu BitDefender Virus Researcher

    Technical Description:

    This version of Win32.Bride.A@mm was written in Visual C++. Most of its strings are encrypted and the worm brings along the Win32.FunLove.4070 file infector once again.

    It arrives attached to an email message in the following format:

    From: ‹Registered Owner›
    or: AntiVirus
    or: ‹forged address› (may be the same with the recipient\'s)

    Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers)
    or: ‹Unreadable characters›‹Registered Organization›
    or: ‹Unreadable characters›Trand Microsoft Inc.

    Body:
    AVAR(Association of Anti-Virus Asia Reseachers) - Report.
    Invariably, Anti-Virus Program is very foolish.


    Attachments:
    ‹random name›.TXT (12.6 KB) MUSIC_1.HTM
    ‹random name›.GIF (120 bytes) MUSIC_2.CEO
    ‹random name›.PIF

    The worm exploits the IFRAME vulnerability in order for the attached executable to be automatically launched when the message is displayed in the preview pane, and the Microsoft VM ActiveX Component vulnerability in order for the HTM file to add CEO to the executable files extensions and the worm to be run when the user opens the attached CEO file.

    The worm copies itself to the Windows System folder as WIN‹NNNN›.pif (‹NNNN› being a random number) and then executes this copy with a command line parameter specifying the tick count (number of miliseconds elapsed since system start-up). The run copy compares its own tick count with the parameter to see if it was run after less than half a second since the original copy had invoked it; otherwise (for example, when the worm is run at start-up), the following message box is displayed:



    The worm will register both its original copy and the newly-dropped copy to be run at startup, by creating WIN‹NNNN› entries under the registry keys named in the Symptoms section.

    A mutex called ~~ Drone Of StarCraft~~ is used by the virus to avoid multiple execution of some code sequences.

    The worm will attempt to stop any services or processes which include one of the substrings:

    view
    debu
    scan
    mon
    vir
    iom
    ice
    anti
    fir
    prot
    secu
    dbg
    avk
    pcc
    spy

    but don't include any of these:

    microsoft
    ms
    _np
    r n
    cicer
    irmon
    smtpsvc
    moniker
    office
    program
    explorewclass

    A function that terminates these services and processes is called aprox. every 2 seconds.

    A version of Win32.FunLove.4070 is dropped to a temporary file in the Windows System folder and executed; this virus will start infecting .exe, .scr and .ocx executables on the local drives and network shares. This original FunLove text Fun Loving Criminal now reads AAVAR 2002 in Seoul and the file infector is dropped in a file named AAVAR.PIF (instead of flcss.exe).

    The worm uses a function that will recursively scan folders on the fixed drives. The contents of folders with names containing:

    antivirus
    cillin
    nlab
    vacc

    will be deleted (however tests have shown that the virus manages to delete most of the files on the disk, due to the buggy handling of a flag variable accross the recursive calls to the function). Target addresses for mass-mailing will be gathered from .dbx and .htm files; addresses containing @microsoft will be avoided. A list of target addresses will be maintained in the registry key:

    [HKCR\Software\Microsoft\DataFactory]

    The and variables (which are sometimes used for the From and Subject fields in sent emails) are read from the registry key:

    [HKLM\Software\Microsoft\Windows[NT]\CurrentVersion]

    If this is not possible, they are given the default values AntiVirus and Trand Microsoft Inc..

    During the execution, the worm will attempt to download data from http://www.symantec.com/ (to temporary files in the Windows System folder, that will later be discarded) for two purposes: first, to see if there is an Internet connection available, and second, to flood the server.