Bridex
Bridex
Type Email worm
Creator
Date Discovered 2002.11.04
Place of Origin South Korea?
Source Language
Platform MS Windows
File Type(s) .exe
Infection Length 114,690 bytes
Reported Costs

Bridex, also called Braid or Brid is an email worm from 2002 that drops a modified version of the Funlove virus.

Table of Contents

Behavior

Bridex arrives in an email. The content of the email largely depends on information collected from the computer it is coming from. The sender line will be the username of the person who was logged in when the worm was sent. In some cases the sender and receiver lines will be the same. The subject line will contain whatever was entered as the company name when Windows was registered. The text body will look like this (information in brackets is the variable information collected from the computer it is coming from):

Bridex.png
Bridex icons
  Hello,

  Product Name: [Windows version]
  Product ID: [Windows ID]
  Product Key: [the product key Windows was activated with]
  Process List: [a list of processes]

  Thank you.

When Bridex is executed, it attempts to connect to www.hotmail.com. If it fails at this it waits a short time, then continues working. It places the files Help.eml and Explorer.exe on the desktop, both of which are copies of the worm (the former is actually the email message containing the worm .exe file). It makes copies of itself in the system folder as Bride.exe, Msconfig.exe and Regedit.exe. It adds the Regedit file as a value under the current user run key so it will run whenever that user logs in. It also adds three keys under the Local Machine Remote computer key.

The worm scans .htm and .dbx files for email addresses and emails itself using its own SMTP engine. It drops a variant of the Funlove virus and executes it.

Effects

Bridex infected the mailing list at the Russian antivirus firm Kaspersky Lab. An infected email generated multiple bounced emails that ended up bouncing for around 8 hours, starting in the morning of 2002 November 8. Kaspersky Lab issued an apology for the inconvenience and blamed crackers. It had no effect on Kaspersky Lab's internal systems. They believed the attack came from someone who got hold of the mailing list's email address.

Sources

Neal Hindocha. Symantec, W32.Brid.A@mm. 2007.02.13

John Leyden. The Register, Kaspersky mailing list hijacked! 2002.11.08

-. -, Braid fails to unpick the Web. 2002.11.05

Beware of Fakes! Kaspersky Lab's Statement on the infection of their mailing list

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License