MERRILL-L Archives

Archiver > MERRILL > 2002-03 > 1016207557


From: "Lucky" <>
Subject: [MERRILL] Beware!!
Date: Fri, 15 Mar 2002 08:52:37 -0700


fast-spreading e-mail worm, possibly from Japan, is encircling the globe and
flooding e-mail servers with excessive messages.
Fbound (w32.fbound.c@mm, also known as Zircon.C, DotJayPee, Fbound.b) is 12,288
bytes in length, and, unlike other recent worms, does not install itself on the
infected machine but instead runs from memory. Mac and Linux users are not
affected.

Fbound is capable of sending large amounts of e-mail but does not damage or
delete files on the infected computer. Because of the increasing reports of this
worm around the world, Fbound currently ranks a 6 on the ZDNet Virus Meter.



How it works
Fbound arrives by e-mail with the subject line "Important." If the recipient's
computer language is set to Japanese or if the recipient's e-mail address ends
with .jp, the subject line is chosen from 16 Japanese-language subject lines
contained within the worm. There is no body text associated with this worm. The
attached file is named patch.exe.

If the attached file is opened, Fbound locates the infected user's SMTP server
and e-mail address. Then the virus loads itself into memory and sends copies of
itself to addresses found in the Windows Address Book.

Unlike many worms, Fbound doesn't install itself on an infected computer, nor
does it add or change any registry files. Once the worm has been run, it will
not run again. Because Fbound encodes all of its code into one line and does not
comply with SMTP encoding, it may sometimes bounce e-mails it sends or arrive as
a noninfectious e-mail.

Code within Fbound contains the following message: "I-Worm.Japanize."

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the
Security Update should be safe from the attached EXE file in Fbound.

Users who have not upgraded to Outlook 2002 or who have not installed the
Security Update for Outlook 2000 should do so.

In general, do not open e-mail attachments without first saving them to hard
disk and scanning them with updated antivirus software. Contact your antivirus
vendor to obtain the most current antivirus signature files that include Fbound.

Removal
Almost all of the antivirus software companies have updated their signature
files to include this worm. This will stop the infection upon contact and in
some cases will remove an active infection from your system. For more
information, see Central Command, Computer Associates, F-Secure, Kaspersky
(known here as Ziron.c),McAfee, Norman, Panda, Sophos, Symantec (known as
Dotjaypee), and Trend Micro (known here as Fbound.b).

This thread: