Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bride.A

I-Worm.Bridex, W32/Braid@mm, PE_BRID.A

Win32/Bride.A is a worm spreading as an email attachment.  The worm is written in Visual Basic, and its size is 114687 bytes.  It attacks computers with Windows 9x/ME/NT/2000/XP operating systems.  It uses a bug in Microsoft Outlook or Outlook Express mail client described at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp.  On computers that do not have this bug treated the worm may be activated already by displaying the message overview.  It is very important to have related patch downloaded and installed since many known worms utilize this vulnerability to spread.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

The worm arrives in an email message as a file named readme.exe. The body of the massage contains also following texts:

Hello,
Product Name :
Product ID:
Product Key:
Process List :
Thank you.

Once the file is executed the worm is activated.  After the virus is executed for the first time it creates files Explorer.exe, Help.eml on the Desktop.  In addition to that, it creates and runs the files msconfig.exe and bride.exe in the directory %windir%/System containing the virus Win32/Funlove.4070.  The worm itself is copied into the same directory as a file regedit.exe.

Win32/Bride.A ensures its activation after rebooting the system by creating the item regedit in the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\regedit. It sets its value to"C:\WINDOWS\SYSTEM\regedit.exe".

The worm sends its copies to all addresses found in Microsoft Outlook mail client address book.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.