Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Alias:I-Worm.Bradex, Win32/Winevar.worm
Size:91.000 Bytes and more. 
Damage:Spreads by email. 
VDF Version: 

DistributionIt sends itself to all email addresses it can find in files of the following type:
.htm .js .dbx
The email has the following structure:
Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers)
Body: %sender's name%
WIN[xxxx].GIF (120 bytes)
MUSIC_2.CEO WIN[xxxx].TXT (12.6 KB)
MUSIC_1.HTM WIN[xxxx].pif (the same as "WIN[xxxx].GIF (120 bytes) MUSIC_2.CEO")

Technical DetailsAs the worm's prior versions, Worm/Bride.C spreads by email and contains another packed virus. It infects PE executable files using W32/Funlove virus and deletes almost all files from the harddisk.
It can be self-activated on Microsoft Outlook systems, using a security hole (IFRAME). Thus, the worm can be automatically activated on Outlook preview.
Worm/Bride.C is even more dangerous than the prior versions.
In a short time, the worm begins to delete files from the harddisk. Windows operating system can not be loaded, on the next system start, at the latest.
The worm creates the following files:
%SystemDIR%\Win[xxxx].tmp, 0bytes
%SystemDIR%\Win[xxxx].tmp, 0bytes
%SystemDIR%\Winb[xxx].tmp, 0bytes
%SystemDIR%\Winb[xxx].tmp, 0bytes

It also creates two other files:
%SystemDIR%\WIN[xxxx].pif and
which are identical to the attachment, of ~91000 Bytes or more.

The worm carries a kind of log function. The data of already infected systems is at the end of the file. For example:
[KOR] Fri, 22 Nov 2002 22:19:12 [sender's name1] >>
[KOR] Fri, 22 Nov 2002 23:19:12 [sender's name2] >>
[ENU] Fri, 23 Nov 2002 3:19:12 [sender's name3] >> ...

[KOR] is a Korean Windows language.
%WinDIR% is usually C:\Windows\
%SysDIR% is usually C:\Windows\System\
[xxxx] is a random 4-digits number
[xxx] is a random 3-digits number.

The worm also contains a packed known virus. W32/Funlove is placed in WIN[xxx].TMP,
and AAVAR.pif in the system directory (%SysDir%) and immediately activated.
It infects PE executable files.
It makes the following autorun entries:
-[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif" -[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif" -[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]@= "C:\\[attachment-path]\\WINB[xxx].PIF""WIN5225"= "C:\\WINDOWS\\SYSTEM\\WIN[xxxx].pif"

On Windows restart, the following message appears:
"What a foolish thing you have done!"
The worm begins to delete Windows files, by the next system start, at the latest. Thus, Windows can not be started anymore.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .