Bridex | |
---|---|
Type | Email worm |
Creator | |
Date Discovered | 2002.11.04 |
Place of Origin | South Korea? |
Source Language | |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 114,690 bytes |
Reported Costs |
Bridex, also called Braid or Brid is an email worm from 2002 that drops a modified version of the Funlove virus.
Behavior
Bridex arrives in an email. The content of the email largely depends on information collected from the computer it is coming from. The sender line will be the username of the person who was logged in when the worm was sent. In some cases the sender and receiver lines will be the same. The subject line will contain whatever was entered as the company name when Windows was registered. The text body will look like this (information in brackets is the variable information collected from the computer it is coming from):
Bridex icons |
---|
Hello,
Product Name: [Windows version]
Product ID: [Windows ID]
Product Key: [the product key Windows was activated with]
Process List: [a list of processes]
Thank you.
When Bridex is executed, it attempts to connect to www.hotmail.com. If it fails at this it waits a short time, then continues working. It places the files Help.eml and Explorer.exe on the desktop, both of which are copies of the worm (the former is actually the email message containing the worm .exe file). It makes copies of itself in the system folder as Bride.exe, Msconfig.exe and Regedit.exe. It adds the Regedit file as a value under the current user run key so it will run whenever that user logs in. It also adds three keys under the Local Machine Remote computer key.
The worm scans .htm and .dbx files for email addresses and emails itself using its own SMTP engine. It drops a variant of the Funlove virus and executes it.
Effects
Bridex infected the mailing list at the Russian antivirus firm Kaspersky Lab. An infected email generated multiple bounced emails that ended up bouncing for around 8 hours, starting in the morning of 2002 November 8. Kaspersky Lab issued an apology for the inconvenience and blamed crackers. It had no effect on Kaspersky Lab's internal systems. They believed the attack came from someone who got hold of the mailing list's email address.
Sources
Neal Hindocha. Symantec, W32.Brid.A@mm. 2007.02.13
John Leyden. The Register, Kaspersky mailing list hijacked! 2002.11.08
-. -, Braid fails to unpick the Web. 2002.11.05
Beware of Fakes! Kaspersky Lab's Statement on the infection of their mailing list