Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Trojan.Zasil and PE_BRID.A / Braid

Attack ID: CPAI-2002-12
Publish Date:
Category: Email worms and Trojan (Trojan.Zasil and PE_BRID.A / Braid)
Vulnerable Systems: Windows based systems
Source:

Trojan.Zasil
http://securityresponse.symantec.com/avcenter/venc/data/trojan.zasil.html

PE_BRID.A / Braid
http://securityresponse.symantec.com/avcenter/venc/data/w32.brid.a@mm.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BRID.A

CVE-2001-0154
Description:

Though these two viruses are different, one can mitigate them using FireWall-1:

Trojan.Zasil is a Trojan that tries to send information (such as host name and IP address) from an infected computer to the hacker who wrote the Trojan. It may arrive as a apparent spam email using various messages. The message characteristics are as follows:

Subject: Free Video
Attachment: Minenew.mpg.pif or Minenew.exe.pif.

PE_BRID.A / Braid is a mass-mailing worm that includes a slightly modified variant a different worm. When it is executed, it attempts to insert several files on the system, as well as mass-mail itself. The worm contains its own SMTP engine, and it attempts to obtain the address of the email server and contact it directly. The email has the following characteristics:

Subject: [Registered Windows company name]
Attachment: Readme.exe
Severity:
 

The trojan author could receive information that would allow him to break into a remote system.

The worm can run different commands and programs on the infected machine, tacking advantage of another problem.
Details:

Trojan.Zasil
Minenew.mpg.pif or Minenew.exe.pif arrive as an email attachment, and contain the Trojan. If Minenew.mpg.pif or Minenew.exe.pif is executed, it displays a nude picture on the screen, creates the file %windir%\Registry.exe (the actual Trojan), and executes the file.

This Trojan tries to send information (such as host name and IP address) to the hacker who wrote the Trojan.

PE_BRID.A / Braid
When this worm is executed, it firsts attempts to connect to www.hotmail.com. If the worm is unable to connect to www.hotmail.com, a short delay will occur before the worm continues its malicious actions. Next, the worm inserts several files on the system, modifies the windows registry and emails itself to all contacts in the Microsoft Outlook Address Book. The worm insert several files on the computer.

Then, the worm attempts to execute a virus. The worm contains its own SMTP engine, and it will attempt to find and contact the email server directly.

It attempts to email everyone in the Microsoft Outlook Address Book, as well as any email address it may find inside .htm and .dbx files. The email message that this worm sends will appear as follows:

From: [Registered Windows user name]
Subject: [Registered Windows company name]
Message Body:
Product Name: [Windows Version]
Product ID: [Windows ID]
Product Key: [Key]
Process List: [List of processes]

All the information inside the [ ] brackets will be taken from the infected computer. The email message will have the worm attached, and if the email message is viewed on an unpatched system, the worm will execute automatically.
Attack Detection:

On the operating system, it is possible to identify the presence of different files as described at the different advisories. This worm or it's mutations might have the capability to choose random file names, thus it would be difficult to identify the files in this way.

Using the SmartView Tracker one can identify attempts to open outgoing SMTP connections from other systems then the regular outbound SMTP routers.
Solution:

Install FireWall-1 systems so that the client systems will be behind, thus protected towards the Internet. Verify that the incoming SMTP servers are protected behind FireWall-1 SMTP Security Server:

  1. Using the SmartDashboard, block all outgoing SMTP connections from non-server IPs. Allow only outgoing SMTP connections originated from mail servers.
  2. Define SMTP resource that blocks MIME types of message/partial.
    1. The rule looks like the following:
      SRC=ANY, DST=Incoming SMTP server, Service=Resourced SMTP, Action=accept and log
    2. The SMTP resource looks like the following:
      • SMTP Resource->Action2 tab
        • Strip MIME of type: message/partial
        • Strip file by name: *.exe,*.scr,*.pif,*.*.pif
        • Weeding: Strip all Script Tags, links and port strings
  3. Verify that the SmartDefense "Successive Multiple Connections" is marked:
    Policy->SmartDefense-> Successive Events-> Successive Multiple Connections.
  4. In order to track some of the potential attack attempts, Verify the following "Successive Multiple Connections" values:
    1. Resolution: 10 seconds
    2. Time interval: 60 seconds
    3. Attempts number: 100 (varies, based on the site configuration)
Industry Reference:
Additional Information:  Microsoft security bulletin MS01-020