W32.Brid.B@mm

Printer Friendly Page

Discovered: November 18, 2002
Updated: November 18, 2002 3:14:45 PM
Systems Affected: Windows

W32.Brid.B@mm is a mass mailing worm that sends itself to all email addresses it finds in .dbx and .htm files. The worm also attempts to terminate the processes of various antivirus and security applications.

Discovered: November 18, 2002
Updated: November 18, 2002 3:14:45 PM
Systems Affected: Windows

W32.Brid.B@mm is a mass mailing worm that sends itself to all email addresses it locates in .dbx and .htm files on the compromised system. It typically arrives as an email message with the following properties:
Subject: company

Attachment: README.EXE

Message Body:
Hello,

My name is donkey-virus.
I wish you a merry Christmas and happy new year.

Thank you.

The email message attempts to exploit the Microsoft IE MIME Header Attachment Execution Vulnerability (BID 2524) so that the attachment executes when the user views or previews the message on a vulnerable system.

When the attachment is executed, it drops the following files:
%Windows Desktop%\MADAM.EML
%Windows Desktop%\MADAM.EXE

MADAM.EML is simply a copy of the worm's email message. MADAM.EXE is a copy of the worm's executable.

The worm will then display an image and terminate any processes with names that contain the following strings:
dbg
mon
vir
iom
anti
fire
prot
secu
view
debug