W32.Braid-A

Discussion in 'malware problems & news' started by Technodrome, Nov 4, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    W32/Braid-A is an internet worm which emails itself to every contact in the Microsoft Outlook address book.

    The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. These vulnerabilities allow an executable attachment to run automatically, even if you do not double-click on the attachment. Microsoft has issued a patch which secures against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)

    When the worm is first run it copies itself to the Desktop as Explorer.exe, to the System folder as Regedit.exe and creates the registry entry

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\regedit = C:\WINDOWS\SYSTEM\regedit.exe

    so that this file is run automatically each time the computer is restarted.

    The worm drops W32/Flcss. to the System folder as Bride.exe. Bride.exe is then launched whenever another executable is run.

    http://www.sophos.com


    Technodrome
     
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    On November 4 many PC users in South Korea faced a new threat in the form of newly born mass-mailer spreading in Internet making use of long-known vulnerability in Microsoft Internet Explorer (click here for more details on the flaw ).
    As it was reported by some anti-virus labs during the first hours of the worm appearance it was detected only by Dr.Web® heuristic analyzer (the worm body coming to the computer with the attachment named README.EXE was detected as BACKDOOR.TROJAN). The worm was added to the Dr.Web® virus database as Win32.HLLM.Generic.95 (hot add-on to version 4.29 dated November 4, 2002). This virus is labeled by other anti-virus programs as W32/Braid@MM,PE_BRID.A,Win32.Braid.A.

    Virus Alert Service of DialogueScience, Inc. indicates that on November 6th, this mass-mailer was ranking from 6th to 4th in the internet traffic of Russian major providers. However, the total amount of its samples caught at Dr.Web mail filters does not exceed 1.5% this is why it is premature to speak of a new epidemic.

    Win32.HLLM.Generic.95 ñontains in its body a modified file infector Win32.FunLove.4608. When run the virus copies itself to the Windows system folder under the name REGEDIT.EXE thus replacing the system file of the Windows registry editor. Besides, to secure its automatic execution at every system start up the virus adds the value regedit = %system%\regedit.exe to this registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    (%system% - Windows system folder).

    The following indications may signalize the system infection:

    presence on the Desktop of Help.eml – an infected with the virus e-mail attachment
    presence on the Desktop of Explorer.exe
    Should you find the above mentioned files we strongly recommend to check your computer with anti-virus scanner having previously updated the virus database.

    http://www.dials.ru/english


    Technodrome
     
Thread Status:
Not open for further replies.