Microsoft KB Archive/810012

= Virus alert about the W32/Braid@mm worm =

Article ID: 810012

Article Last Modified on 2/1/2007

-

APPLIES TO

 Microsoft Outlook 2000 Standard Edition Microsoft Outlook 2002 Standard Edition Microsoft Outlook Express 6.0 Microsoft Outlook Express 6.0, when used with:  Microsoft Windows Millennium Edition

 

 </li></ul>

 </li></ul> </li></ul>

-

<div class="summary_section">

SUMMARY
W32/Braid@mm is a new e-mail worm. The Microsoft Product Support Services Security team is issuing this alert to advise customers to be aware of this virus as it spreads in the wild. Best practices, such as filtering certain file types and applying security patches, would prevent infection from this mass-mailer worm.

<div class="moreinformation_section">

Impact of Attack
Mass Mailing and Network Share Infection

Technical Details
The W32/Braid@mm worm arrives in an e-mail message with the following characteristics:

Subject: (Sender's Windows registered company name) or (Blank)

Body:

Hello, Product Name: Microsoft Windows (version of Windows on the infected sender's system) Product ID: (Windows ID on the infected sender's system) Product Key: (Windows key on the infected sender's system) Process List: (processes running on the infected sender's system)

Thank you.

Attachment: Readme.exe

The worm tries to exploit a previously patched vulnerability that exists in some versions of Microsoft Outlook, Microsoft Outlook Express, and Microsoft Internet Explorer. This vulnerability can be used to allow an executable attachment to run automatically, even if you do not double-click the attachment. Information about this vulnerability can be found at the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

When the W32/Braid@mm worm executes, it places the Help.eml file on the desktop of the infected computer. The Help.eml file, if opened, will have properties similar to the original message that infected the computer. This worm infects .exe, .scr, and .ocx files and will try to spread through network shares. For more detailed information about the W32/Braid@mm worm, contact your antivirus vendor.

Prevention
<ol> Block potentially damaging attachment types at your Internet mail gateways.</li> This virus uses a previously announced vulnerability as part of its infection method. Because of this, you must make sure that your computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS01-020. For more information about this bulletin, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx

To obtain the most recent cumulative security patch for Microsoft Internet Explorer, which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS01-020, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-023.mspx

</li> If you are using Microsoft Outlook 2000 Service Release 1 (SR-1) or earlier, install the Outlook E-mail Security Update patch to prevent this virus (and the majority of other viruses that are borne by e-mail messages) from running.

Outlook 2000 Service Pack 2 (SP2) and Microsoft Outlook 2002 automatically contain the functionality that is contained in the Outlook E-mail Security Update patch.

To install the Outlook E-mail Security Update patch for Outlook 2000 SR-1 or earlier, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

</li> You can also configure Microsoft Outlook Express 6 to block access to potentially damaging attachments. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

291387 OLEXP: Using virus protection features in Outlook Express 6

Earlier versions of Outlook Express do not contain attachment-blocking functionality. Use caution when you open unsolicited e-mail messages with attachments.

</li> Using a program-level firewall can protect you from being infected with this virus through Web-based e-mail programs.</li></ol>

Recovery
If your computer has been infected with this virus, contact Microsoft Product Support Services or your preferred antivirus vendor for help with removing the virus. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Related Security Information
For additional information about viruses, visit the following third-party Web sites:

http://securityresponse.symantec.com/avcenter/venc/data/w32.brid.a@mm.html

http://vil.nai.com/vil/content/v_99776.htm

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For additional security-related information about Microsoft products, visit the following Microsoft Web site:

http://www.microsoft.com/athome/security/default.mspx

Keywords: kbdownload kbvirus KB810012

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.