F-Secure Virus Descriptions : Bridex
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
| NAME: | Bridex |
| ALIAS: | Braid, W32/Braid@mm, W32/Braid.A-mm |
| ALIAS: | I-Worm.Bridex, W32/Bridex.A@mm |
Bridex is an e-mail worm that appeared in the wild on 4th of
November 2002. The worm is written in Visual Basic and it usually
arrives in an e-mail message as README.EXE attachment. The worm
uses IFrame exploit to run itself automatically on some systems.
The worm creates an EML file on a desktop (like Nimda worm does)
and also drops a bit modified Funlove virus-worm to a system.
When the worm's file is run, it copies itself as REGEDIT.EXE file
to Windows System folder and creates a startup key for this file
in the System Registry. This is done to activate the worm's file
every time Windows starts.
Bridex worm drops a bit modified variant of Funlove virus to a
system. The differences from the original variant are the
following:
- a new variant creates a dropper with BRIDE.EXE name in Windows System folder
- the original Funlove's text is replaced with 'DonkeyoVaccineiEraser'
It should be noted that the 'o' and 'i' letters between 'Donkey',
'Vaccine' and 'Eraser' words belong to the original Funlove's
message.
When Funlove virus-worm is dropped, the beginning of MSCONFIG.EXE
file is replaced with Funlove dropper. So this file can't be
disinfected and should be deleted and restored from a backup.
Funlove virus-worm first infects all EXE files on a local hard
disk and then starts to infect files on shared drives. This is a
network virus-worm, so in case of infection, a network has to be
taken down before all infected workstations are disinfected.
However taking down a network is not necessary when FSAV 5.40 is
installed on every workstation. This FSAV version can repell all
attempts to infect a workstation from a network. The description
of Funlove virus-worm can be found here:
http://www.europe.f-secure.com/v-descs/funlove.shtml
Bridex worm puts HELP.EML file on a desktop. This file contains a
mime-encoded worm's copy with IFrame exploit and also HTML text
that shows Window's version, product ID, registration key and
list of running processes (however on our test systems the worm
failed to create a list of processes). If a user clicks on that
file, the worm will activate itself in case an unpatched version
of Internet Explorer and Outlook Express is used. The same
approach was used by Nimda worm.
The IFrame vulnerability is fixed and the patch for it is
available on Microsoft's website:
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
Bridex worm also copies itself as EXPLORER.EXE to an infected
computer's desktop. This file has an icon from Internet Explorer,
not from Windows Explorer. When this file is started and the worm
is already in memory, it sometimes attempts to open a connection
to www.hotmail.com or to www.sex.com websites.
The worm tries to kill processes and services that have the
following strings in their names:
MST
MS_
- S
_NP
VIEW
IRMON
SMTPSVC
MONIKER
PROGRAM
Also if on startup worm detects that a program or a folder has
one of the following strings in its name, it crashes Windows and
a computer has to be restarted:
mon
vir
iom
anti
fire
prot
secu
view
debug
To collect e-mails the worm scans .HTM and .DBX files. The worm
then sends itself to the found addresses using its own SMTP
engine. A typical infected message looks like that:
Hello,
Product Name: <windows version number>
Product Id: <windows serial number>
Thank you.
There could also be 'Product Key: <windows product key>' and
'Process List: <list of processes>' strings in an infected
message, but on our test systems the worm didn't include them.
The subject is empty and the worm's file is attached to an
infected message as README.EXE file. The IFrame exploit is always
present in the message.
Many of the worm's internal text strings are encrypted and the
worm decrypts them on-demand.
Disinfection Instructions
Disinfection of the worm requires deleting of all its files
including EXPLORER.EXE and HELP.EML from a desktop and
disinfecting all files from Funlove virus infection. Funlove's
dropper BRIDE.EXE and corrupted MSCONFIG.EXE files should be also
deleted. We recommend to use the latest version of F-Secure
Anti-Virus and the latest updates.
F-Secure Anti-Virus detects Bridex worm with the updates
published on November 4th, 2002:
[FSAV_Database_Version]
Version=2002-11-04_04
[Analysis: F-Secure Virus Research Team; November 4th, 2002]
| VARIANT: | Bridex.B |
| ALIAS: | Braid.B, W32/Braid.B@mm, W32/Braid.B-mm |
| ALIAS: | I-Worm.Bridex.B, W32/Bridex.B@mm |
The second variant of Bridex worm appeared in the end of
November, 2002. The new variant has a few differences comparing
to the original Bridex worm:
1. Sends itself with a different message body text:
Hello,
My name is donkey-virus.
I wish you a merry Christmas and happy new year.
Thank you.
The attachment name is still README.EXE and Iframe exploit is
still present in an infected message.
2. When run, displays a different picture:
3. Copies itself as MADAM.EML and MADAM.EXE to a desktop
4. When starting, checks for processes with the following names
and kills them:
dbg
mon
vir
iom
anti
fire
prot
secu
view
debug
If the name also contains one of the following strings, the worm
does not kill the task:
MST
MS_
- S
_NP
VIEW
IRMON
SMTPSVC
MONIKER
PROGRAM
5. Does not drop Funlove virus
6. Creates MADAM1.TMP file in temporary folder and saves
directory structure information of a hard drive there.
7. Does not install itself to system and does not modify the
System Registry
8. The task name of the worm sometimes is:
~Internet mail testing~
Disinfection Instructions
Disinfection of the worm requires deleting of all its files
including MADAM.EXE and MADAM.EML from a desktop. We recommend
to use the latest version of F-Secure Anti-Virus and the
latest updates.
[Analysis: Alexey Podrezov; F-Secure Corp.; November 26th, 2002]
|
![](/images/pixel.gif"){kind=tracking}
