• REGEDIT.EXE, in the Windows system directory. This file is run every time Windows is started up.
• EXPLORER.EXE, in the Windows desktop. This is a copy of the worm. This file has the same icon as Internet Explorer. In this way, the file tries to go unnoticed by users.
• HELP.EML, in the Windows desktop. This is a copy of the message that the worm sends out.
• BRIDE.EXE, in the Windows system directory. This file is a variation of the virus detected by Panda as W32/FunLove.4099.Dr. 

Bride spreads mainly by e-mail sending itself out to every address it finds in the affected computer's HTM files as well as the Outlook Express trays.

It arrives in a message with variable characteristics. The subject field appears empty, whereas the rest of features are the following:

• To: <address>
• From: <name><address>
  Where:
  <name>  is the name of the affected user.
  <address> is the e-mail address of the message recipient.
  Example:
  If a user named John (John@mail.com) is affected by this worm and an e-mail is sent from his computer to a user called Peter (Peter@mail.com), the message header would be the following:
  To: Peter@mail.com
  From: John[Peter@mail.com]
• Message:
  Hello,
  Product Name:<OS>
  Product Id: <ID>
  Product Key: <Key>
  Process List:
  Thank you
  Where
  <OS> is the name of the operating system installed on the affected computer.
  <ID>  is the product identifier
  <Key> is the product key
• Attachment:  
  README.EXE

The worm activates when the attached file is run, and even when the message is viewed through Outlook's Preview pane (Bride takes advantage of the Exploit/iFrame vulnerability).