Related Resources • Email+IE=Flaw • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • Patch: MS01-02

The Braid worm, also known as Bridex, W32/Braid@mm, W32/Braid.A-mm, I-Worm.Bridex, or W32/Bridex.A@mm, was discovered on November 4, 2002. Braid spreads via email, taking advantage of a vulnerability in Microsoft products that can cause the attachment to open automatically on unpatched systems. Specifically, Braid exploits a vulnerability in Internet Explorer, the default program responsible for rendering HTML email in certain mail clients, including Outlook and Outlook Express. Microsoft released a patch for the vulnerability in March 2001.

Braid is thought to have originated in Korea. As part of its infection routine, it drops a modified variant of the FunLove virus onto the system. FunLove is a network virus that infects all portable executable files found on the network. According to antivirus and security vendor F-Secure, when FunLove is dropped onto the system the beginning of the MSCONFIG.EXE file is replaced with the Funlove dropper. MSCONFIG.EXE is a utility first introduced in Windows 98, used to manage which programs load on startup. This file cannot be disinfected and should be deleted and restored from a backup. In addition to Windows 98, the MSCONFIG.EXE utility is also present in Windows XP and ME. MSCONFIG.EXE is a utility, not an essential file. Thus if you are unable to restore the file from backup or system CD, the operating system will continue to operate normally without it.

The Braid worm scans .DBX files (Outlook Express) and HTML in search of email addresses, sending itself to those found. The Braid-generated email has the following characteristics:

Hello,

Product Name: (Windows version)
Product Id: (Windows serial number)

Thank you.