W32/Bridex.A@mm

Name: W32/Bridex.A@mm
Aliases: W32/Braid.a@MM, W32.Brid.A@mm, Bridex, W32.Bridex.A@mm, PE_BRID.A, W32/Braid-A
Type: Internet Worm
Discovery Date: November 4, 2002

Description:

W32/Bridex.A@mm is a mass-mailer worm written in Visual Basic that arrives as an email attachment entitled "README.EXE". This worm relies upon the file "MSVBVM60.DLL" being available on the victim's system in order to run.
The worm is activated when the user clicks on the attachment. It copies itself as "REGEDIT.EXE" to the Windows System directory and adds a startup key to the registry to activate this file at every system reboot. It then copies the following two files to the infected system:

• "Help.eml" - Microsoft Outlook Express file. If this file opens on unpatched system, the worm will run automatically due to a Microsoft exploit. The patch for this exploit can be found at Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
• "Explorer.exe" - copy of worm

Bridex also drops a slightly modified version of the FunLove virus on the infected computer (we detect it as W32/FunLove.4099).

Bridex contains its own SMTP engine, and will attempt to email a copy of itself to everyone in the MS Outlook Address book, as well as email addresses it finds in .htm and .dbx files on the infected system.

Detection:

Command Antivirus version 4.58.3 or higher with definition files dated 11/07/2002 will detect this virus.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Home � Purchase Center � Virus Center � Support Center