Win32.Fbound.B@mm
LOW
VERY LOW
24576 bytes
(W32/Fbound.B)
Symptoms
Removal instructions:
To remove the Win32.Fbound.B@mm virus please follow the steps below:
If the virus is active:
If the virus is located in your email archive:
If the virus is active:
- Close all working applications including any antivirus resident modules.
- Open a Windows Explorer window.
- Browse to the Temp folder located in your Windows folder.
- Delete the 666.zip file.
If the virus is located in your email archive:
- Close all working applications including any antivirus resident modules;
- Open your email client;
- Identify the message that has the infected attachment;
All the information about the message (folder location, sender, subject, time of arrival) can be found in BitDefender\'s scan log.
- Delete the message.
Analyzed By
Sorin Victor Dudea BitDefender Virus Researcher
Technical Description:
It arrives through e-mail in the following format:Subject: Important or a Japanese subject randomly selected from 8 different subjects.
Body: Empty or Password = xxxxxxxx where xxxxxxxx is a random string;
Attachment:
When the user opens the attachment the worm creates a copy of itself in zip format encrypted with a randomly generated password in the temporary folder. After that it gathers the user e-mail settings from the registry and it scans the Microsoft Outlook Express address book for e-mail addresses sending itself to every address it founds.
If the found address is from a .jp domain it will send itself with Japanese subject otherwise it will use the Important subject.
The worm has a 50% chance to send itself with a password protected zip attachment, in which case the body of the e-mail will be the text:
Password = xxxxxxxx where xxxxxxxx is the password for opening the zip attachment. If the month is April the payload will be triggered.
Payload: It will draw many pixels at random screen locations and it plays an audio clip with a screaming voice.
SHARE
THIS ON