Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Brid.A@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity LOW LOW
Payload Installs virus
Detection files published 06 Nov 2002 03:00:00
Description created 06 Nov 2002 06:47:00
Description updated 06 Nov 2002 06:58:00
Malware type WORM
Alias W32/Braid.A
PE_BRID
Spreading mechanism EMAIL
Summary None

W32/Brid.A@mm

Spreading

The worm uses data found on the infected computer to create message subject and body.

When executed, it will send itself to all users in the Outlook address book. It does this by contacting the mail server directly. When the worm spreads via email the user(s) may be infected by only previewing or opening the mail in Outlook/Outlook Express. This is accomplished using a known security hole "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment".

Information and patch is available from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

The security hole is a known issue with Internet Explorer versions 5.01 and 5.5 without SP2 . Users who have this configuration should apply the available patch.

It installs several files to the hard disk - some which contain the worm itself, and some which contain a new variant of the FunLove virus. This variant of FunLove is very minor, and is detected and cleaned by NVC already.

It will also modify the Registry in such a way as to start the worm from bootup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run regedit [systemdir]\regedit.exe
 

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10