ITSD Computing and Communications Services News
December, 2002

CCS News Home
Back Issues
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
  Monthly Virus Update: Here Comes the Brid (and Other Viruses)

Last month viruses and worms continued their usual assault against the Lab's systems. The LBNL virus wall received a total of 515,442 attachments, 7,136 of which were infected with viruses and worms. Viruses and worms that target Windows systems were once again most prevalent. The Klez.H worm with 5,470 instances was once again most often found and eradicated, followed by the Yaha.G worm with 556 instances. Read more about these viruses.

In third place was W32.Brid.A, a mutation of the FunLove worm, with 427 instances. The Brid worm gains access to victim systems by exploiting an Internet Explorer flaw in which an incorrectly formed MIME header can cause a mail attachment to be run on the system that receives the attachment. After infecting a system it tries to download several files and then to mail itself to other potential victims. The subject of infected messages reads "[Registered Windows company name]" and the attachment is "Readme.exe." Using its own mail server engine, W32.Brid.A subsequently tries to get the address of the email server for the infected system and then to connect to it. Fortunately, W32.Brid.A is so similar to FunLove that your anti-virus software's signature for FunLove will work in detecting and eradicating W32.Brid.A, provided, of course, that you keep your software's signatures up to date.

A new, destructive email worm is also spreading around the Internet. This worm, named "Winevar," "W32/Winevar.A," the "Korean Worm," W32/Winevar@mm, "W32/Korvar" and "I-Worm.Winevar," can potentially erase a victim system's hard drive and can also display a taunting message in the process. Found in South Korea, Winevar is an apparent variant of the Bridex (or "Braid") worm that recently exploited flaws in Microsoft's Internet Explorer, Outlook, and Outlook Express. Winevar typically arrives in messages with the subject line: "Re: AVAR (Anti-Virus Asia Researchers)." When Winevar starts, it tries to delete processes used by anti-virus software. Winevar reproduces by reading addresses in email on the victim's system, and then by generating a random number that it uses as a title for the attachment, hindering anti-virus software's ability to detect it. When the victim system reboots, a dialog box with the heading "Make a fool of oneself" is displayed. A message in this box reads, "What a foolish thing you have done!" If the user clicks on OK, every file on the victim system is soon erased. If a system is infected by Winevar, it is important to first delete every file Winevar has created before rebooting. Anti-virus software updates for Winevar are available.

Be sure to also download the latest cumulative patch for your Windows system and the latest cumulative patch for Internet Explorer.

The moral of the story once again is to be sure to run anti-virus software on your system (especially if it is a Windows system), keep this software updated, and avoid opening attachments unless you are sure that they are safe.