VIRUS NAME: W32/Fbound.c@MM
Internet
Worm
Characteristics
-- Update 4/03/2002
--
Due to a decrease in prevalence, the risk assessment for this threat was
lowered to Low.
-- Update 3/19/2002
--
Due to a decrease in prevalence, the risk assessment for this threat was
lowered to Medium.
This threat is detected
as New Worm when scanning with the 4144 DATs (or newer) with Program Heuristics
enabled. Exact detection is included in the 4191 DATs.
This is a pure mass-mailing worm. It does not carry any other, damaging,
payload. The virus sends itself to all users found in the Windows Address
book using SMTP. It arrives in an e-mail message containing the following
information:
Subject: "Important" or a Japanese subject (see below)
Body: [empty]
Attachment: patch.exe
When run, it immediately e-mails itself to all entries in the Windows
address book. It does not install itself in any way. It contains the text
"I-Worm.Japanize"
Symptoms
It immediately mails itself out and does not manifest itself in any way.
Method Of Infection
Running the EXE manually will cause it to e-mail itself. The virus queries
the registry to locate the Windows Address book file. Email addresses
are harvested from the WAB file.
- HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab
File Name
The virus then uses the
default Internet Account Manager settings to send itself out using the default
SMTP server specified in the registry.
- HKEY_CURRENT_USER\Software\Microsoft\Internet
Account Manager\Accounts\(Default account id)\SMTP Server
- HKEY_CURRENT_USER\Software\Microsoft\Internet
Account Manager\Accounts\(Default account id)\SMTP Email Address
Due to the nature of
the email message header created by the virus, it EXE attachment may arrive
corrupted and non-functional.
|
