¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:I-Worm.Bradex, Win32/Winevar.worm
Type:Worm 
Size:91.000 Bytes and more. 
Origin: 
Date:11-23-2002 
Damage:Spreads by email. 
VDF Version:6.23.00.00 
Danger:High 
Distribution:Medium 

DistributionIt sends itself to all email addresses it can find in files of the following type:
.htm .js .dbx
The email has the following structure:
Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers)
Body: %sender's name%
Attachment:
WIN[xxxx].GIF (120 bytes)
MUSIC_2.CEO WIN[xxxx].TXT (12.6 KB)
MUSIC_1.HTM WIN[xxxx].pif (the same as "WIN[xxxx].GIF (120 bytes) MUSIC_2.CEO")

Technical DetailsAs the worm's prior versions, Worm/Bride.C spreads by email and contains another packed virus. It infects PE executable files using W32/Funlove virus and deletes almost all files from the harddisk.
It can be self-activated on Microsoft Outlook systems, using a security hole (IFRAME). Thus, the worm can be automatically activated on Outlook preview.
Worm/Bride.C is even more dangerous than the prior versions.
In a short time, the worm begins to delete files from the harddisk. Windows operating system can not be loaded, on the next system start, at the latest.
The worm creates the following files:
%SystemDIR%\Win[xxxx].tmp, 0bytes
%SystemDIR%\Win[xxxx].tmp, 0bytes
%SystemDIR%\Winb[xxx].tmp, 0bytes
%SystemDIR%\Winb[xxx].tmp, 0bytes

It also creates two other files:
%SystemDIR%\WIN[xxxx].pif and
%SystemDIR%\WIN[xxxx].pif
which are identical to the attachment, of ~91000 Bytes or more.

The worm carries a kind of log function. The data of already infected systems is at the end of the file. For example:
[KOR] Fri, 22 Nov 2002 22:19:12 [sender's name1] >>
[KOR] Fri, 22 Nov 2002 23:19:12 [sender's name2] >>
[ENU] Fri, 23 Nov 2002 3:19:12 [sender's name3] >> ...

[KOR] is a Korean Windows language.
%WinDIR% is usually C:\Windows\
%SysDIR% is usually C:\Windows\System\
[xxxx] is a random 4-digits number
[xxx] is a random 3-digits number.

The worm also contains a packed known virus. W32/Funlove is placed in WIN[xxx].TMP,
WINA[xxx].TMP
and AAVAR.pif in the system directory (%SysDir%) and immediately activated.
It infects PE executable files.
It makes the following autorun entries:
-[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif" -[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif" -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif"

On Windows restart, the following message appears:
"What a foolish thing you have done!"
The worm begins to delete Windows files, by the next system start, at the latest. Thus, Windows can not be started anymore.
Descripción insertada por Crony Walker el martes, 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.