A new worm sowed its own destruction this week by including an old virus, one that even older versions of antivirus software are sure to detect, which means the worm's progress will be limited.
The Braid worm first surfaced Monday in Korea. The worm, also known as PE_BRID.A, W32/Braid@mm, W32/Braid-A and Win32.Braid.A, is a mass-mailer that injects the FunLove virus when infecting a system.
While most antivirus scanners didn't trap Braid yesterday, they did kick in when the worm dropped FunLove. "Even real outdated antivirus software would have caught it," said Mikko Hypponen, F-Secure's manager of anti-virus research in Helsinki, Finland.
For that reason, Hypponen doesn't expect Braid to have much traction. Early on, there were concerns that it might spread because it had properties similar to the recent Klez worm. So far, Braid is strongest in Asia, with pockets in North America and mainland Europe.
Braid exploits a MIME header vulnerability in Internet Explorer so a recipient doesn't need to double-click on the attachment for it to execute. The same vulnerability was used by the recent Klez and Bugbear worms. This could account, to some degree, for Braid's lack of success as users patch their systems in response to those worms, Hypponen said.
The message that arrives carrying Braid as an attachment looks like this:
From: The infected sender's Windows user name
Subject: Sender's Windows registered company name
Product Name: Microsoft Windows ( version running on infected system)
Product Id: ( Windows ID of sender's system)
Product Key: ( Windows key from sender's system)
Process List: ( Processes running on infected system)
When the worm runs, it copies itself to the Windows desktop as Explorer.exe. It also copies itself to the system folder as Regedit.exe, enabling it to automatically run each time the computer is restarted. The worm drops the FunLove virus into the system as Bride.exe, which is launched whenever an executable is run.
The worm harvests e-mail addresses from the Microsoft Outlook address book and from .htm and .dbx files on the system. It then mails itself using its own SMTP engine.
Perhaps the surest way of preventing Braid (and many other worms) is to block executable files at the gateway, said Chris Wraight, technology consultant at antivirus vendor Sophos.
A healthy dose of skepticism is also important. The ReadMe.exe file of the worm has properties that make it look like it was from an antivirus company. "But the dead giveaway is it says it's from 'Trend Microsoft'," Wraight said.