file 666.zip in Temp directory
the payload described below
To remove the Win32.Fbound.B@mm virus please follow the steps below:
If the virus is active:
- Close all working applications including any antivirus resident modules.
- Open a Windows Explorer window.
- Browse to the Temp folder located in your Windows folder.
- Delete the 666.zip file.
If the virus is located in your email archive:
- Close all working applications including any antivirus resident modules;
- Open your email client;
- Identify the message that has the infected attachment;
All the information about the message (folder location, sender, subject, time of arrival) can be found in BitDefender\'s scan log.
- Delete the message.
Sorin Victor Dudea BitDefender Virus Researcher
It arrives through e-mail in the following format: Subject: Important
or a Japanese subject randomly selected from 8 different subjects. Body: Empty
or Password = xxxxxxxx
is a random string; Attachment:
If Body is empty: check.exe
When the user opens the attachment the worm creates a copy of itself in zip format encrypted with a randomly generated password in the temporary folder. After that it gathers the user e-mail settings from the registry and it scans the Microsoft Outlook Express address book for e-mail addresses sending itself to every address it founds.
If the found address is from a .jp
domain it will send itself with Japanese subject otherwise it will use the Important subject.
The worm has a 50% chance to send itself with a password protected zip attachment, in which case the body of the e-mail will be the text: Password = xxxxxxxx
where xxxxxxxx is the password for opening the zip attachment. If the month is April the payload will be triggered.
Payload: It will draw many pixels at random screen locations and it plays an audio clip with a screaming voice.