Home / malwarePDF  

Win32.Bride.B@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Bride.B@mm is also known as W32/Braid.B, (Sophos.

Explanation :

This is the second version of the mass-mailer Win32.Bride.A@mm; it doesn't carry along the FunLove file infector anymore, and doesn't install itself (it won't automatically be run at Windows start-up). Its strings are no longer encrypted and on Windows NT/2000/XP the executable might not be run (its format is slightly damaged, and the NT versions make more thorough verifications of executable format compliance than the 9x versions).

The worm arrives in an email message in the following format:

From: (Windows registered user name of infected user) or Help

Subject: (Windows registered organization of infected user)

Body:

Hello,

My name is donkey-virus.
I wish you a merry Christmas and happy new year.

Thank you.

Attachment: README.EXE



The attachment will still be automatically run on unpatched systems, as the virus exploits the IFRAME vulnerability. The following picture will be displayed when the virus is run:



The worm will copy itself on Desktop as Madam.exe (with Internet Explorer's icon); it will also create an email message file on Desktop (Madam.eml); when the user opens this file with Outlook/Outlook Express, the attachment will once again be executed and the user will be invited to fill-in the recipient address and send the email; the attached file (README.EXE) may not be visible (due to the malformed MIME header).



The names of the temporary files used by the worm have been changed to Madam0.tmp and Madam1.tmp.

The worm will stop services with names containing one of the substrings:

MST
MS_
S -
_NP
VIEW
IRMON
SMTPSVC
MONIKER
PROGRAM

It will also terminate processes with window names including these strings:

dbg
mon
vir
iom
anti
fire
prot
secu
view
debug

Mass-mailing: As in version A, email addresses are collected from .htm and .dbx files; the "anonymous" user on the name/domain server will also be targeted.

The From and Subject fields are taken from the registry entries:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRegisteredOwner]
[HKLMSoftwareMicrosoftWindowsCurrentVersionRegisteredOrganization]

(if the RegisteredOwner entry cannot be read, the text Help will appear in the From field). The sender's email address may be forged in messages that are sent by the virus.

The file's description contains the following copyright text:

Copyright (C) Madam Inc. 1981-2002

Last update 21 November 2011

 

TOP