Threat Description

Bridex

Details

Aliases: Bridex, Braid, W32/Braid@mm, W32/Braid.A-mm, I-Worm.Bridex, W32/Bridex.A@mm
Category: Malware
Type: Worm
Platform: W32

Summary



Bridex is an e-mail worm that appeared in the wild on 4th of November 2002. The worm is written in Visual Basic and it usually arrives in an e-mail message as README.EXE attachment. The worm uses IFrame exploit to run itself automatically on some systems. The worm creates an EML file on a desktop (like Nimda worm does) and also drops a bit modified Funlove virus-worm to a system.



Removal



Disinfection of the worm requires deleting of all its files including MADAM.EXE and MADAM.EML from a desktop. We recommend to use the latest version of F-Secure Anti-Virus and the latest updates.



Technical Details



When the worm's file is run, it copies itself as REGEDIT.EXE file to Windows System folder and creates a startup key for this file in the System Registry. This is done to activate the worm's file every time Windows starts.

Bridex worm drops a bit modified variant of Funlove virus to a system. The differences from the original variant are the following:

- a new variant creates a dropper with BRIDE.EXE name in Windows System folder
 - the original Funlove's text is replaced with 'DonkeyoVaccineiEraser'

It should be noted that the 'o' and 'i' letters between 'Donkey', 'Vaccine' and 'Eraser' words belong to the original Funlove's message.

When Funlove virus-worm is dropped, the beginning of MSCONFIG.EXE file is replaced with Funlove dropper. So this file can't be disinfected and should be deleted and restored from a backup.

Funlove virus-worm first infects all EXE files on a local hard disk and then starts to infect files on shared drives. This is a network virus-worm, so in case of infection, a network has to be taken down before all infected workstations are disinfected. However taking down a network is not necessary when FSAV 5.40 is installed on every workstation. This FSAV version can repell all attempts to infect a workstation from a network. The description of Funlove virus-worm can be found here:

http://www.europe.f-secure.com/v-descs/funlove.shtml

Bridex worm puts HELP.EML file on a desktop. This file contains a mime-encoded worm's copy with IFrame exploit and also HTML text that shows Window's version, product ID, registration key and list of running processes (however on our test systems the worm failed to create a list of processes). If a user clicks on that file, the worm will activate itself in case an unpatched version of Internet Explorer and Outlook Express is used. The same approach was used by Nimda worm.

The IFrame vulnerability is fixed and the patch for it is available on Microsoft's website:

http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Bridex worm also copies itself as EXPLORER.EXE to an infected computer's desktop. This file has an icon from Internet Explorer, not from Windows Explorer. When this file is started and the worm is already in memory, it sometimes attempts to open a connection to www.hotmail.com or to www.sex.com websites.

The worm tries to kill processes and services that have the following strings in their names:

MST
 MS_
 - S
 _NP
 VIEW
 IRMON
 SMTPSVC
 MONIKER
 PROGRAM

Also if on startup worm detects that a program or a folder has one of the following strings in its name, it crashes Windows and a computer has to be restarted:

mon
 vir
 iom
 anti
 fire
 prot
 secu
 view
 debug

To collect e-mails the worm scans .HTM and .DBX files. The worm then sends itself to the found addresses using its own SMTP engine. A typical infected message looks like that:

Hello,
 Product Name: <windows version number>
 Product Id:  <windows serial number>
 Thank you.

There could also be 'Product Key: &lt;windows product key&gt;' and 'Process List: &lt;list of processes&gt;' strings in an infected message, but on our test systems the worm didn't include them.

The subject is empty and the worm's file is attached to an infected message as README.EXE file. The IFrame exploit is always present in the message.

Many of the worm's internal text strings are encrypted and the worm decrypts them on-demand.


Variant:Bridex.B (Braid.B, W32/Braid.B@mm, W32/Braid.B-mm,I-Worm.Bridex.B, W32/Bridex.B@mm)

The second variant of Bridex worm appeared in the end of November, 2002. The new variant has a few differences comparing to the original Bridex worm:

1. Sends itself with a different message body text:

Hello,
 My name is donkey-virus.
 I wish you a merry Christmas and happy new year.
 Thank you.

The attachment name is still README.EXE and Iframe exploit is still present in an infected message.

2. When run, displays a different picture:

3. Copies itself as MADAM.EML and MADAM.EXE to a desktop

4. When starting, checks for processes with the following names and kills them:

dbg
 mon
 vir
 iom
 anti
 fire
 prot
 secu
 view
 debug

If the name also contains one of the following strings, the worm does not kill the task:

MST
 MS_
 - S
 _NP
 VIEW
 IRMON
 SMTPSVC
 MONIKER
 PROGRAM

5. Does not drop Funlove virus

6. Creates MADAM1.TMP file in temporary folder and saves directory structure information of a hard drive there.

7. Does not install itself to system and does not modify the System Registry

8. The task name of the worm sometimes is:

~Internet mail testing~



Detection


F-Secure Anti-Virus detects Bridex worm with the updates published on November 4th, 2002:
Detection Type: PC
Database: 2002-11-04_04



Technical Details: F-Secure Virus Research Team; November 4th, 2002
Description Last Modified: Alexey Podrezov; F-Secure Corp.; November 26th, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More