Bride of Funlove virus getting around

A new e-mail worm circulating on the Internet is capable of spreading a variant of the FunLove virus to vulnerable machines running Microsoft Windows, according to statements released by three security companies.

The new worm, named W32/Braid.A or I-Worm.Bridex, arrives in an e-mail message without a subject and is contained in an attachment named README.EXE.

When recipients double click on the attachment, the worm copies a variant of the FunLove virus to the local system with the name BRIDE.EXE, alters the machine’s system registry so that the virus is re-launched each time Windows starts, scans the user’s Outlook address book and e-mails copies of itself to any addresses it finds.

By taking advantage of a known IFRAME vulnerability in Microsoft’s Outlook, Outlook Express and Internet Explorer products, the new worm may be launched without user interaction, according to an alert posted by antivirus software maker Sophos.

Microsoft issued a patch — Microsoft Security Bulletin MS01-020 — in 2001 which secures against these attacks, according to Chris Wraight, a technology consultant at Sophos. The patch can be downloaded from Microsoft’s Web site.

Originally discovered in November 1999, FunLove is an e-mail worm that infects Windows portable executable files. The worm is capable of infecting executable files on the machine it infects, then spreading it to corrupt executable files in machines on a local- or wide area network. Opening any corrupted executable will launch a copy of the virus.

Like the original FunLove worm, the Bride variant does not appear to steal information from the machines it infects, though the worm does include information on an infected user’s Windows software version and the Windows serial number in the body of e-mail messages it uses to spread itself, according to an alert posted by security company F-Secure.

The new worm is not known to have infected any machines, and appears to be an unsophisticated copy of the original FunLove worm, according to Wraight.

“On a scale of one to ten, I’d rate it a two,” Wraight said.

Braid.A/Bridex is also notable for its use of tricks — often referred to as “social engineering” — to get potential victims to launch the worm. For example, the properties of the README.EXE file containing the virus identify the source of the file as “Anti Virus World System” from “Trend Microsoft Inc.” according to an alert published by Computer Associates. “Trend Microsoft” is an amalgamation of antivirus software company Trend Micro Inc. and Microsoft.

To remove the Braid.A/Bridex worm, security companies recommend deleting all affected files from the infected machine and running antivirus software equipped to disinfect the FunLove virus. The Windows operating system may also need to be reinstalled to restore system files corrupted by the worm, according to Wraight.