Win32.Fbound.B@mm

( W32/Fbound.B )

SYMPTOMS:

file 666.zip in Temp directory

the payload described below

TECHNICAL DESCRIPTION:

It arrives through e-mail in the following format:
Subject: Important or a Japanese subject randomly selected from 8 different subjects.
Body: Empty or Password = xxxxxxxx where xxxxxxxx is a random string;
Attachment:

If Body is empty: check.exe

Otherwise important.zip

When the user opens the attachment the worm creates a copy of itself in zip format encrypted with a randomly generated password in the temporary folder. After that it gathers the user e-mail settings from the registry and it scans the Microsoft Outlook Express address book for e-mail addresses sending itself to every address it founds.
If the found address is from a .jp domain it will send itself with Japanese subject otherwise it will use the Important subject.

The worm has a 50% chance to send itself with a password protected zip attachment, in which case the body of the e-mail will be the text:
Password = xxxxxxxx where xxxxxxxx is the password for opening the zip attachment. If the month is April the payload will be triggered.

Payload: It will draw many pixels at random screen locations and it plays an audio clip with a screaming voice.

Removal instructions:

To remove the Win32.Fbound.B@mm virus please follow the steps below:

If the virus is active:

1. Close all working applications including any antivirus resident modules.


2. Open a Windows Explorer window.


3. Browse to the Temp folder located in your Windows folder.


4. Delete the 666.zip file.

If the virus is located in your email archive:

1. Close all working applications including any antivirus resident modules;


2. Open your email client;


3. Identify the message that has the infected attachment;
   
   All the information about the message (folder location, sender, subject, time of arrival) can be found in BitDefender\'s scan log.
   


4. Delete the message.

ANALYZED BY:

Sorin Victor Dudea
BitDefender Virus Researcher