FRISK Software International


Summary of W32/Bridex.A@mm
Alias:Bridex, Braid, W32/Braid.A-mm, I-Worm.Bridex
Discovered: 3 Nov 2002
Definition files: 3 Nov 2002
Risk Level: Low
Distribution:Low
Infection Method:Infected E-Mail attachments
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
Bridex is an e-mail worm that appeared in the wild on 4th of November 2002. The worm is written in Visual Basic and it usually arrives in an e-mail message as README.EXE attachment. The worm uses IFrame exploit to run itself automatically on some systems. The worm creates an EML file on a desktop (like Nimda worm does) and also drops a bit modified Funlove virus-worm to a system.


Technical Description
When the worm's file is run, it copies itself as REGEDIT.EXE file to Windows System folder and creates a startup key for this file in the System Registry. This is done to activate the worm's file every time Windows starts.

Bridex worm drops a bit modified variant of Funlove virus to a system. The differences from the original variant are the following:

 - a new variant creates a dropper with BRIDE.EXE name in Windows System folder
 - the original Funlove's text is replaced with 'DonkeyoVaccineiEraser'
It should be noted that the 'o' and 'i' letters between 'Donkey', 'Vaccine' and 'Eraser' words belong to the original Funlove's message.

When Funlove virus-worm is dropped, the beginning of MSCONFIG.EXE file is replaced with Funlove dropper. So this file can't be disinfected and should be deleted and restored from a backup.

Funlove virus-worm first infects all EXE files on a local hard disk and then starts to infect files on shared drives. This is a network virus-worm, so in case of infection, a network has to be taken down before all infected workstations are disinfected.

Bridex worm puts HELP.EML file on a desktop. This file contains a mime-encoded worm's copy with IFrame exploit and also HTML text that shows Window's version, product ID, registration key and list of running processes (however on our test systems the worm failed to create a list of processes). If a user clicks on that file, the worm will activate itself in case an unpatched version of Internet Explorer and Outlook Express is used. The same approach was used by Nimda worm.

The IFrame vulnerability is fixed and the patch for it is available on Microsoft's website.

Bridex worm also copies itself as EXPLORER.EXE to an infected computer's desktop. This file has an icon from Internet Explorer, not from Windows Explorer. When this file is started and the worm is already in memory, it sometimes attempts to open a connection to www.hotmail.com or to www.sex.com websites.

The worm tries to kill processes and services that have the following strings in their names:

 MST
 MS_
 - S
 _NP
 VIEW
 IRMON
 SMTPSVC
 MONIKER
 PROGRAM
Also if on startup worm detects that a program or a folder has one of the following strings in its name, it crashes Windows and a computer has to be restarted:

 mon
 vir
 iom
 anti
 fire
 prot
 secu
 view
 debug
To collect e-mails the worm scans .HTM and .DBX files. The worm then sends itself to the found addresses using its own SMTP engine. A typical infected message looks like that:

 Hello,


 Product Name: 
 Product Id:  


 Thank you.
There could also be 'Product Key: ' and 'Process List: ' strings in an infected message, but on our test systems the worm didn't include them.

The subject is empty and the worm's file is attached to an infected message as README.EXE file. The IFrame exploit is always present in the message.

Many of the worm's internal text strings are encrypted and the worm decrypts them on-demand.


Removal Instructions
Disinfection of the worm requires deleting of all its files including EXPLORER.EXE and HELP.EML from a desktop and disinfecting all files from Funlove virus infection. Funlove's dropper BRIDE.EXE and corrupted MSCONFIG.EXE files should be also deleted. We recommend to use the latest version of F-Prot Antivirus and latest virus signature files.

[Analysis: F-Secure Virus Research Team; November 4th, 2002]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is