Home / malwarePDF  

Win32.Bride.C@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Bride.C@mm is also known as I-Worm.Winevar, (F-Secure, Kaspersky.

Explanation :

This version of Win32.Bride.A@mm was written in Visual C++. Most of its strings are encrypted and the worm brings along the Win32.FunLove.4070 file infector once again.

It arrives attached to an email message in the following format:

From: ‹Registered Owner›
or: AntiVirus
or: ‹forged address› (may be the same with the recipient's)

Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers)
or: ‹Unreadable characters›‹Registered Organization›
or: ‹Unreadable characters›Trand Microsoft Inc.

Body:
AVAR(Association of Anti-Virus Asia Reseachers) - Report.
Invariably, Anti-Virus Program is very foolish.

Attachments:
‹random name›.TXT (12.6 KB) MUSIC_1.HTM
‹random name›.GIF (120 bytes) MUSIC_2.CEO
‹random name›.PIF

The worm exploits the IFRAME vulnerability in order for the attached executable to be automatically launched when the message is displayed in the preview pane, and the Microsoft VM ActiveX Component vulnerability in order for the HTM file to add CEO to the executable files extensions and the worm to be run when the user opens the attached CEO file.

The worm copies itself to the Windows System folder as WIN‹NNNN›.pif (‹NNNN› being a random number) and then executes this copy with a command line parameter specifying the tick count (number of miliseconds elapsed since system start-up). The run copy compares its own tick count with the parameter to see if it was run after less than half a second since the original copy had invoked it; otherwise (for example, when the worm is run at start-up), the following message box is displayed:



The worm will register both its original copy and the newly-dropped copy to be run at startup, by creating WIN‹NNNN› entries under the registry keys named in the Symptoms section.

A mutex called ~~ Drone Of StarCraft~~ is used by the virus to avoid multiple execution of some code sequences.

The worm will attempt to stop any services or processes which include one of the substrings:

view
debu
scan
mon
vir
iom
ice
anti
fir
prot
secu
dbg
avk
pcc
spy

but don't include any of these:

microsoft
ms
_np
r n
cicer
irmon
smtpsvc
moniker
office
program
explorewclass

A function that terminates these services and processes is called aprox. every 2 seconds.

A version of Win32.FunLove.4070 is dropped to a temporary file in the Windows System folder and executed; this virus will start infecting .exe, .scr and .ocx executables on the local drives and network shares. This original FunLove text Fun Loving Criminal now reads AAVAR 2002 in Seoul and the file infector is dropped in a file named AAVAR.PIF (instead of flcss.exe).

The worm uses a function that will recursively scan folders on the fixed drives. The contents of folders with names containing:

antivirus
cillin
nlab
vacc

will be deleted (however tests have shown that the virus manages to delete most of the files on the disk, due to the buggy handling of a flag variable accross the recursive calls to the function). Target addresses for mass-mailing will be gathered from .dbx and .htm files; addresses containing @microsoft will be avoided. A list of target addresses will be maintained in the registry key:

[HKCRSoftwareMicrosoftDataFactory]

The and variables (which are sometimes used for the From and Subject fields in sent emails) are read from the registry key:

[HKLMSoftwareMicrosoftWindows[NT]CurrentVersion]

If this is not possible, they are given the default values AntiVirus and Trand Microsoft Inc..

During the execution, the worm will attempt to download data from http://www.symantec.com/ (to temporary files in the Windows System folder, that will later be discarded) for two purposes: first, to see if there is an Internet connection available, and second, to flood the server.

Last update 21 November 2011

 

TOP