The W32/Braid@MM Virus Family Often Forges Its From: Field

This information can be freely reproduced in any medium, as long as the information is unmodified.

The Braid virus affects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, see plenty of infected email from Braid, so its "annoyance factor" is large.

PC users with VirusScan installed have been protected against W32/Braid since the 4232 drivers were released 06 November, 2002. [At U-M, we configure VirusScan to check several times a day for new virus definitions, so there is no need to remember to update.]

The email sent by Braid has the following format:

   From: [Registered Windows user name]
   Subject: [Registered Windows company name]
   Message Body:

      Hello,

      Product Name: [Windows Version]
      Product ID: [Windows ID]
      Product Key: [Key; may not be present]

      Process List: [List of processes; may take several lines, or not be present at all]

      Thank you.

and the infected attachment is named README.EXE, which is 114687 bytes long.

Braid was discovered in 04 November 2002. VirusScan users with current antivirus definitions have been protected explicitly against Braid since 06 November 2002 [Note that Braid was recognized "generically" by the VirusScan drivers, even before the virus writer created it! Also, Braid exploits a bug in Explorer that Microsoft provided a patch for over 17 months ago: if Braid bit you, you're not using current antivirus software, and you're not applying Windows Updates "Critical Updates."]

The main features of Braid are these:

1. Similar to the Klez virus, Braid forges its From: field, but it does it in a different way from Klez. For the gory technical details, see below.

2. Braid can delete critical files on the infected computer.

3. Braid injects a variant of particularly nasty virus (FunLove) when it infects a system. Funlove can spread via open network shares. I recommend that you disable File and Print Sharing, or at least password protect all shared resources.

4. It uses a security flaw in unpatched Internet Explorer applications that allows the attachment to be executed w/o opening it.

5. Braid may confuse you if you try to reply to the apparent sender:

   • Person A's computer gets infected

   • Braid harvests email addresses, including addresses for person B

   • Braid sends email from A's computer, using a From: address comprised of person A's "display name" and person B's "addr-spec" (see below.

   • Person B receives the infected email and attempts to email victim A.

   • Since the actual email goes to the "addr-spec", person A does not get the email -- person B does instead. person B is very confused because his or her email to A comes back to person B; person A remains infected, because s/he is not aware of the problem.

6. Braid can cause "email storms."

What should you do if:

• You think you might be infected with Braid

  Easy: scan -- and if necessary, disinfect -- with current, top quality antivirus software.

• You know you are infected by Braid?

  Easy: disinfect with current, top quality antivirus software.

• You receive email you suspect is infected with Braid -- or other viruses, for that matter?

  That's up to you; for suggestions, see our What to do with suspicious email document.

• You receive email claiming that you are sending Braid-infected email?

  This is a bit more involved:

  1. First, you probably are not infected, particularly if you are getting email from some automated announcement system: most of these alerts are well intentioned, but they do not check the full email headers to see who the real sender is.

     [Of course, if you get email from us that you are infected, or from others who ought to know, then there is a much higher chance that your computer is infected. But everyone makes mistakes, so it's not a sure thing!]

  2. Nonetheless, you should check that your computer has top quality antivirus software installed, and that it is current, and that you do not have any viruses on your machine.

  3. Assuming that you have no viruses on your computer, you may want to ask the sender of the alert for more information. In particular, you'll need full email headers; when you receive them, pass this information along to your competent antivirus support personnel. Better yet, Cc: those support folks in your original request, and ask that the full headers, etc., be sent to the support personnel directly.

     U-M folks: you can request that this information be sent to the U-M Virus Busters Team, of course.

  You don't already have antivirus software: In case you didn't notice the links above, U-M faculty, staff, and students can download VirusScan and Virex.

• How Braid forges the email address

  First, a definition: an email address consists of two parts:

  • The "display name": this is an optional phrase that is a description of the "addr-spec" to follow.
  • The "addr-spec": this is the local user-name, followed by the "@" symbol, followed by an Internet domain. An "addr-spec" is required for the email address to be valid.

  For example, my "display name" is "Bruce P. Burrell" and my "addr-spec" is <bpb@umich.edu> which makes my whole email address

  
     "Bruce P. Burrell" <bpb@umich.edu>
  

  Braid creates an email address by taking the victim's Windows "Registered Owner" to use as the "display name", and appending the "addr-spec" of a randomly selected email address harvested by the virus from the infected computer.

  For example, suppose that someone with an address of

        "Bozo the Clown" <beaux@eaux.com>
  

  got infected by Braid, and that my email address was found by Braid on that computer. Then Braid might meld these two addresses together, generating

        "Bozo the Clown" <bpb@umich.edu>
  

  Next, Braid forges email using the melded address generated above for the From: field, and sends out the email.

• For more technical info, see e.g. Network Associates write-up on Braid (leaving our site) or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/klez.html
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB