CA Virus Advisory Alert: 5th November, 2002
Announcement posted by CA (enterprise) 06 Nov 2002
New virus Win32.Braid.A in the wild
Name: Win32.Braid.A
Alias: Win32/, W32.Brid.A@mm, PE_BRID.A
Category: Win32
Type: Worm
Analysis
Wild instances: Low - on watch
Destructiveness: Moderate
Pervasiveness: Moderate
CHARACTERISTICS
Braid.A is an email worm that also drops a known Win32 virus, Win32.FunLove. If executed on Windows 95 or Windows 98 system, the worm overwrites MSCONFIG.EXE under system directory with Win32.FunLove virus code. The original file needs to be restored from the installation CD. Another file BRIDE.EXE that contains only the virus code of Win32.FunLove is also dropped to the system directory. CA antivirus solutions already provide detection for Win32.Funlove.
The worm also drops a copy of itself to system directory as REGEDIT.EXE. Note that this is a valid Windows system filename and the original one is located under Windows directory. Users' attempts to check the registry key for suspicious executables will invoke the worm. A registry is installed under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to invoke this copy upon Windows restart.
Two more copies of the worm are dropped on the user Desktop as EXPLORER.EXE and HELP.EML. HELP.EML is an Outlook Express email that uses the Incorrect Mime
Header vulnerability in IE (versions 5.01 and 5.5 without SP2) to automatically execute mail attachments on viewing.
As an attempt to confuse the user, the worm masquerades as an antivirus program. The worm's property tag reads "Anti Virus World System" from "Trend Microsoft Inc."
CA Antivirus Research team is still analysing this worm. This description will be updated with more details as they become available.
http://www/ca.com/virusinfo
Alias: Win32/, W32.Brid.A@mm, PE_BRID.A
Category: Win32
Type: Worm
Analysis
Wild instances: Low - on watch
Destructiveness: Moderate
Pervasiveness: Moderate
CHARACTERISTICS
Braid.A is an email worm that also drops a known Win32 virus, Win32.FunLove. If executed on Windows 95 or Windows 98 system, the worm overwrites MSCONFIG.EXE under system directory with Win32.FunLove virus code. The original file needs to be restored from the installation CD. Another file BRIDE.EXE that contains only the virus code of Win32.FunLove is also dropped to the system directory. CA antivirus solutions already provide detection for Win32.Funlove.
The worm also drops a copy of itself to system directory as REGEDIT.EXE. Note that this is a valid Windows system filename and the original one is located under Windows directory. Users' attempts to check the registry key for suspicious executables will invoke the worm. A registry is installed under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to invoke this copy upon Windows restart.
Two more copies of the worm are dropped on the user Desktop as EXPLORER.EXE and HELP.EML. HELP.EML is an Outlook Express email that uses the Incorrect Mime
Header vulnerability in IE (versions 5.01 and 5.5 without SP2) to automatically execute mail attachments on viewing.
As an attempt to confuse the user, the worm masquerades as an antivirus program. The worm's property tag reads "Anti Virus World System" from "Trend Microsoft Inc."
CA Antivirus Research team is still analysing this worm. This description will be updated with more details as they become available.
http://www/ca.com/virusinfo