Home / malware Win32.Bride.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Bride.A@mm is also known as W32/Braid.A, (Sophos.
Explanation :
This is a mass-mailing worm written in Visual Basic, which carries along the file infector Win32.FunLove.4070. The FunLove body and most of the character strings used by the virus are encrypted, to make reverse engineering more difficult.
The worm arrives in an email message in the following format:
From: (Windows registered user name of infected user)
Subject: (Windows registered organization of infected user)
Body:
Hello,
Product Name: (Windows version)
Product Id: (Windows product ID)
Product Key: (Windows product key)
Process List: (list of names and descriptions of running security processes)
Thank you.
Attachment: README.EXE
The virus exploits the IFRAME vulnerability in Internet Explorer 5.xx; the attachment (README.EXE) will automatically be executed when the message is selected in the preview pane of Outlook/Outlook Express (on unpatched systems); more information and a patch for this exploit are available in the Microsoft Security Bulletin (MS01-020).
The virus will copy itself as regedit.exe in the Windows System folder and will create the registry entry:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun
egedit]
in order for Windows to run the worm at every start-up.
The worm will also copy itself on the Desktop as Explorer.exe(with Internet Explorer's icon). An email message file (Help.eml) containing the worm will be created (also on the Desktop); when the user opens it, the attachment will once again automatically be executed (due to the IFRAME exploit):
Another two copies of the worm (one of them in Base64 format) will be created in temporary files called Brade0.tmp and Brade1.tmp.
The worm will stop services with names containing one of the substrings:
MST
MS_
S -
_NP
VIEW
IRMON
SMTPSVC
MONIKER
PROGRAM
It will also terminate processes with names including these strings:
dbg
mon
vir
iom
anti
fire
prot
secu
view
debug
Names and descriptions of these processes will be included in the body of email messages, under the title Process List. The From and Subject fields of messages are filled in with values read from the entries:
RegisteredOwner
RegisteredOrganization
under the registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersion]
The messages will also contain information about the running Windows version, id and key, taken from the registry entries:
ProductName
ProductId
ProductKey
Email messages containing the worm will be sent to addresses gathered by scanning .htm and .dbx files, and also to the anonymous user on the name/domain server.
The worm will overwrite the beginning of msconfig.exe (in the Windows System folder) with a sequence of code that drops a version of the file infector Win32.FunLove.4070 in bride.exe; this virus contains the following text: DonkeyoVaccineiEraser instead of the original Fun Loving Criminal. This dangerous virus will proceed to infecting executable files on the local system and on network shared folders.
Under certain conditions, the worm will try to open the following web-pages:
HttP://Www.hOtmAIl.coM/
hTtP://wWw.sEX.cOm/Last update 21 November 2011
