My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Fbound.B@mm

LOW
VERY LOW
24576 bytes
(W32/Fbound.B)

Symptoms

  • file 666.zip in Temp directory

  • the payload described below
  • Removal instructions:

    To remove the Win32.Fbound.B@mm virus please follow the steps below:

    If the virus is active:
    1. Close all working applications including any antivirus resident modules.

    2. Open a Windows Explorer window.

    3. Browse to the Temp folder located in your Windows folder.

    4. Delete the 666.zip file.

    If the virus is located in your email archive:
    1. Close all working applications including any antivirus resident modules;

    2. Open your email client;

    3. Identify the message that has the infected attachment;

      All the information about the message (folder location, sender, subject, time of arrival) can be found in BitDefender\'s scan log.

    4. Delete the message.

    Analyzed By

    Sorin Victor Dudea BitDefender Virus Researcher

    Technical Description:

    It arrives through e-mail in the following format:
    Subject: Important or a Japanese subject randomly selected from 8 different subjects.
    Body: Empty or Password = xxxxxxxx where xxxxxxxx is a random string;
    Attachment:
  • If Body is empty: check.exe

  • Otherwise important.zip


  • When the user opens the attachment the worm creates a copy of itself in zip format encrypted with a randomly generated password in the temporary folder. After that it gathers the user e-mail settings from the registry and it scans the Microsoft Outlook Express address book for e-mail addresses sending itself to every address it founds.
    If the found address is from a .jp domain it will send itself with Japanese subject otherwise it will use the Important subject.

    The worm has a 50% chance to send itself with a password protected zip attachment, in which case the body of the e-mail will be the text:
    Password = xxxxxxxx where xxxxxxxx is the password for opening the zip attachment. If the month is April the payload will be triggered.

    Payload: It will draw many pixels at random screen locations and it plays an audio clip with a screaming voice.