W32.Brid.B@mm

Discussion in 'malware problems & news' started by Randy_Bell, Nov 19, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    W32.Brid.B@mm is a variant of W32.Brid.A@mm. It is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds in .htm and .dbx files. This variant also attempts to terminate the processes of various antivirus and security programs. The email message has the following characteristics,

    Subject: [Registered Windows company name]
    Message:
    Hello,

    My name is donkey-virus.
    I wish you a merry Christmas and happy new year.

    Thank you.

    Attachment: Readme.exe

    The worm uses a known Internet Explorer exploit that is known as Incorrect MIME Header can cause IE to Execute E-mail attachment.

    Unlike W32.Brid.A@MM, W32.Brid.B@mm does not copy W32.Funlove.4099 or W32.Funlove.int to the computer that it infects.

    This threat is written in the Microsoft Visual Basic programming language.

    Also Known As: W32/Braid.b@MM [McAfee]
    Type: Worm
    Infection Length: 90,111 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, Unix, Linux

    technical details

    When W32.Brid.B@mm runs, it creates these files on the Windows desktop:

    • Madam.eml
    • Madam.exe (This is a copy of the worm.)

    Madam.eml is a Microsoft Outlook Express file. If this file is opened on an unpatched system, the attachment (which is the worm) runs automatically. This is due to the use of the known exploit that is known as Incorrect MIME Header can cause IE to Execute E-mail attachments.

    It terminates processes if the name of the process contains any of the following strings:

    • dbg
    • mon
    • vir
    • iom
    • anti
    • fire
    • prot
    • secu
    • view
    • debug

    The worm uses its own SMTP engine to send itself to the email addresses that it finds in .htm and .dbx files. The email message has the following characteristics,

    Subject: [Registered Windows company name]
    Message:
    Hello,

    My name is donkey-virus.
    I wish you a merry Christmas and happy new year.

    Thank you.

    Attachment: Readme.exe

    The worm spoofs the From field of the outgoing email message.

    removal instructions

    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Update the virus definitions.
    2. Run a full system scan, and delete all files that are detected as W32.Brid.B@mm.
     
Thread Status:
Not open for further replies.