I-Worm.Bridex.a
Description I-Worm.Bridex.a
Bridex (aka Brid) is an email worm virus spreading via the Internet in the form of an attachment to infected emails. The worm itself is a Windows PE EXE file about 115KB in length and is written in Visual Basic.
To run from infected messages the worm uses the IFRAME security breach.
The infected messages have an empty subject field.
The attached worm copy (file)is named README.EXE
The message body looks as follows:
Hello,
Product Name: < data >
Product Id: < data >
Product Key: < data >
Process List: < data >
Thank you.
where < data > represents personal data from the infected machine, for example:
Hello,
Product Name: Microsoft Windows 98
Product Id: 50392-668-0444778-23555
Process List: NoneNone
Thank you.
Some of lines above (except the first and last lines) may be absent in infected emails (this happens when the worm fails to read or determine necessary data).
Installing
While installing the worm copies itself to the Windows system directory under the name REGEDIT.EXE, and to the Windows Desktop directory under the name EXPLORER.EXE, and then registers itself as the first file in system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun regedit = %WinSystem%
egedit.exe
While installing the worm also looks for Anti-Virus applications and tries to terminate them.
Spreading
To get victim email addresses the worm scans all *.HTM and *.DBX files for email-like strings (except @microsoft.com addresses). It proceeds to send itself to all acceptable addresses found.
To send infected messages the worm uses a direct connection to the default SMTP server.
While spreading the worm creates temporary files:
Help.eml - in Windows Desktop directory Brade0.tmp Brade1.tmp - both in Windows Temp directory
Payload
Depending on its "counters" the worm opens the Web sites:
http://www.hotmail.com
http://www.sex.com
The Bridex worm also drops a variant of the Funlove virus into the MSCONFIG.EXE file in the Windows System directory.
Check other viruses! Be aware! Use Antiviral Software
Smuggler.572
Description Smuggler.572
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM-files that are executed. While installing the virus increases the "Alarm Hours" byte in CMOS. The virus contains the encrypted text string:
Programa escrito por Mc Smuggler en Mar del Plata (C)1994
Smut.938
Description Smut.938
It is a dangerous nonmemory resident parasitic virus. It searches for EXE files in the current directory tree, then writes itself to the end of the file. It also writes a trojan program to the MBR of hard drive. This program activates on system reboot, hooks INT 13h and depending on the system timer restarts the computer.
|