When the worm's file is run, it copies itself as REGEDIT.EXE file to Windows System folder and creates a startup key for this file in the System Registry. This is done to activate the worm's file every time Windows starts.
Bridex worm drops a bit modified variant of Funlove virus to a system. The differences from the original variant are the following:
- a new variant creates a dropper with BRIDE.EXE name in Windows System folder
- the original Funlove's text is replaced with 'DonkeyoVaccineiEraser'
It should be noted that the 'o' and 'i' letters between 'Donkey', 'Vaccine' and 'Eraser' words belong to the original Funlove's message.
When Funlove virus-worm is dropped, the beginning of MSCONFIG.EXE file is replaced with Funlove dropper. So this file can't be disinfected and should be deleted and restored from a backup.
Funlove virus-worm first infects all EXE files on a local hard disk and then starts to infect files on shared drives. This is a network virus-worm, so in case of infection, a network has to be taken down before all infected workstations are disinfected.
Bridex worm puts HELP.EML file on a desktop. This file contains a mime-encoded worm's copy with IFrame exploit and also HTML text that shows Window's version, product ID, registration key and list of running processes (however on our test systems the worm failed to create a list of processes). If a user clicks on that file, the worm will activate itself in case an unpatched version of Internet Explorer and Outlook Express is used. The same approach was used by Nimda worm.
The IFrame vulnerability is fixed and the patch for it is available on Microsoft's website.
Bridex worm also copies itself as EXPLORER.EXE to an infected computer's desktop. This file has an icon from Internet Explorer, not from Windows Explorer. When this file is started and the worm is already in memory, it sometimes attempts to open a connection to www.hotmail.com or to www.sex.com websites.
The worm tries to kill processes and services that have the following strings in their names:
MST
MS_
- S
_NP
VIEW
IRMON
SMTPSVC
MONIKER
PROGRAM
Also if on startup worm detects that a program or a folder has one of the following strings in its name, it crashes Windows and a computer has to be restarted:
mon
vir
iom
anti
fire
prot
secu
view
debug
To collect e-mails the worm scans .HTM and .DBX files. The worm then sends itself to the found addresses using its own SMTP engine. A typical infected message looks like that:
Hello,
Product Name:
Product Id:
Thank you.
There could also be 'Product Key: ' and 'Process List: ' strings in an infected message, but on our test systems the worm didn't include them.
The subject is empty and the worm's file is attached to an infected message as README.EXE file. The IFrame exploit is always present in the message.
Many of the worm's internal text strings are encrypted and the worm decrypts them on-demand.
|
