Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
91.000 Bytes and more.
Spreads by email.
It sends itself to all email addresses it can find in files of the following type:
.htm .js .dbx
The email has the following structure:
Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers)
Body: %sender's name%
WIN[xxxx].GIF (120 bytes)
MUSIC_2.CEO WIN[xxxx].TXT (12.6 KB)
MUSIC_1.HTM WIN[xxxx].pif (the same as "WIN[xxxx].GIF (120 bytes) MUSIC_2.CEO")
As the worm's prior versions, Worm/Bride.C spreads by email and contains another packed virus. It infects PE executable files using W32/Funlove virus and deletes almost all files from the harddisk.
It can be self-activated on Microsoft Outlook systems, using a security hole (IFRAME). Thus, the worm can be automatically activated on Outlook preview.
Worm/Bride.C is even more dangerous than the prior versions.
In a short time, the worm begins to delete files from the harddisk. Windows operating system can not be loaded, on the next system start, at the latest.
The worm creates the following files:
It also creates two other files:
which are identical to the attachment, of ~91000 Bytes or more.
The worm carries a kind of log function. The data of already infected systems is at the end of the file. For example:
[KOR] Fri, 22 Nov 2002 22:19:12 [sender's name1] >>
[KOR] Fri, 22 Nov 2002 23:19:12 [sender's name2] >>
[ENU] Fri, 23 Nov 2002 3:19:12 [sender's name3] >> ...
[KOR] is a Korean Windows language.
%WinDIR% is usually C:\Windows\
%SysDIR% is usually C:\Windows\System\
[xxxx] is a random 4-digits number
[xxx] is a random 3-digits number.
The worm also contains a packed known virus. W32/Funlove is placed in WIN[xxx].TMP,
and AAVAR.pif in the system directory (%SysDir%) and immediately activated.
It infects PE executable files.
It makes the following autorun entries:
-[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif" -[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif" -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif"
On Windows restart, the following message appears:
"What a foolish thing you have done!"
The worm begins to delete Windows files, by the next system start, at the latest. Thus, Windows can not be started anymore.
Description inserted by Crony Walker on Tuesday, June 15, 2004