Bridex
Summary
Bridex is an email worm that appeared in the wild on 4th of November 2002. The worm is written in Visual Basic and it usually arrives in an email message as README.EXE attachment. The worm uses IFrame exploit to run itself automatically on some systems. The worm creates an EML file on a desktop (like Nimda worm does) and also drops a bit modified Funlove virus-worm to a system.
Removal
Disinfection of the worm requires deleting of all its files including MADAM.EXE and MADAM.EML from a desktop. We recommend to use the latest version of F-Secure Anti-Virus and the latest updates.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
When the worm's file is run, it copies itself as REGEDIT.EXE file to Windows System folder and creates a startup key for this file in the System Registry. This is done to activate the worm's file every time Windows starts.
Bridex worm drops a bit modified variant of Funlove virus to a system. The differences from the original variant are the following:
- a new variant creates a dropper with BRIDE.EXE name in Windows System folder - the original Funlove's text is replaced with 'DonkeyoVaccineiEraser'
It should be noted that the 'o' and 'i' letters between 'Donkey', 'Vaccine' and 'Eraser' words belong to the original Funlove's message.
When Funlove virus-worm is dropped, the beginning of MSCONFIG.EXE file is replaced with Funlove dropper. So this file can't be disinfected and should be deleted and restored from a backup.
Funlove virus-worm first infects all EXE files on a local hard disk and then starts to infect files on shared drives. This is a network virus-worm, so in case of infection, a network has to be taken down before all infected workstations are disinfected. However taking down a network is not necessary when FSAV 5.40 is installed on every workstation. This FSAV version can repell all attempts to infect a workstation from a network. The description of Funlove virus-worm can be found here:
https://www.europe.f-secure.com/v-descs/funlove.shtml
Bridex worm puts HELP.EML file on a desktop. This file contains a mime-encoded worm's copy with IFrame exploit and also HTML text that shows Window's version, product ID, registration key and list of running processes (however on our test systems the worm failed to create a list of processes). If a user clicks on that file, the worm will activate itself in case an unpatched version of Internet Explorer and Outlook Express is used. The same approach was used by Nimda worm.
The IFrame vulnerability is fixed and the patch for it is available on Microsoft's website:
https://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
Bridex worm also copies itself as EXPLORER.EXE to an infected computer's desktop. This file has an icon from Internet Explorer, not from Windows Explorer. When this file is started and the worm is already in memory, it sometimes attempts to open a connection to www.hotmail.com or to www.sex.com websites.
The worm tries to kill processes and services that have the following strings in their names:
MST MS_ - S _NP VIEW IRMON SMTPSVC MONIKER PROGRAM
Also if on startup worm detects that a program or a folder has one of the following strings in its name, it crashes Windows and a computer has to be restarted:
mon vir iom anti fire prot secu view debug
To collect emails the worm scans .HTM and .DBX files. The worm then sends itself to the found addresses using its own SMTP engine. A typical infected message looks like that:
Hello, Product Name:Product Id: Thank you.
There could also be 'Product Key: <windows product key>' and 'Process List: <list of processes>' strings in an infected message, but on our test systems the worm didn't include them.
The subject is empty and the worm's file is attached to an infected message as README.EXE file. The IFrame exploit is always present in the message.
Many of the worm's internal text strings are encrypted and the worm decrypts them on-demand.
Variant:Bridex.B (Braid.B, W32/Braid.B@mm, W32/Braid.B-mm,I-Worm.Bridex.B, W32/Bridex.B@mm)
The second variant of Bridex worm appeared in the end of November, 2002. The new variant has a few differences comparing to the original Bridex worm:
1. Sends itself with a different message body text:
Hello, Product Name: Product Id: Thank you.
The attachment name is still README.EXE and Iframe exploit is still present in an infected message.
2. When run, displays a different picture:
3. Copies itself as MADAM.EML and MADAM.EXE to a desktop
4. When starting, checks for processes with the following names and kills them:
Hello, Product Name: Product Id: Thank you.
If the name also contains one of the following strings, the worm does not kill the task:
Hello, Product Name: Product Id: Thank you.
5. Does not drop Funlove virus
6. Creates MADAM1.TMP file in temporary folder and saves directory structure information of a hard drive there.
7. Does not install itself to system and does not modify the System Registry
8. The task name of the worm sometimes is:
Hello, Product Name: Product Id: Thank you.