• PC World
• »Security

A new e-mail worm circulating on the Internet is capable of spreading a variant of the FunLove virus to vulnerable machines running Microsoft Windows, according to statements released by three security companies.

The new worm, named W32/Braid.A, or I-Worm.Bridex, arrives in an e-mail message without a subject and is contained in an attachment named README.EXE.

When recipients double-click the attachment, the worm copies a variant of the FunLove virus to the local system with the name BRIDE.EXE. It alters the machine's system registry so that each time Windows starts the virus launches again, scans the user's Outlook address book, and sends copies of itself to any addresses it finds.

To remove the Braid.A/Bridex worm, security companies recommend deleting all affected files from the infected machine and running antivirus software equipped to disinfect the FunLove virus. The Windows operating system may also need to be reinstalled to restore system files corrupted by the worm, according to Chris Wraight, a technology consultant at antivirus software maker Sophos.

Easily Avoided

By taking advantage of a known IFRAME vulnerability in Microsoft's Outlook, Outlook Express, and Internet Explorer products, the new worm may be launched without user interaction, according to an alert posted by Sophos.

Microsoft issued a patch--Microsoft Security Bulletin MS01-020--in 2001 that secures against these attacks, according to Wraight. The patch is available from Microsoft as a free download.

The antivirus vendors say they have not received reports of infection by the new worm. It appears to be an unsophisticated copy of the original FunLove worm, according to Wraight.

"On a scale of one to ten, I'd rate it a two," Wraight said.

Long Roots

Originally discovered in November 1999, FunLove is an e-mail worm that infects Windows' portable executable files. The worm is capable of infecting executable files on the machine it infects, then spreading it to corrupt executable files in machines on a local- or wide area network. Opening any corrupted executable file will launch a copy of the virus.

Like the original FunLove worm, the Bride variant does not appear to steal information from the PCs it infects. However, the worm does include information on an infected user's Windows software version and the Windows serial number in the body of e-mail messages it uses to spread itself, according to an alert posted by security company F-Secure.

Braid.A/Bridex is also notable for its use of tricks--often referred to as "social engineering"--to get potential victims to launch the worm. For example, the properties of the README.EXE file containing the virus identify the source of the file as "Anti Virus World System" from "Trend Microsoft" according to an alert published by Computer Associates. "Trend Microsoft" is an amalgamation of antivirus software company Trend Micro and Microsoft.