|VIRUS NAME: W32/Fbound.c@MM
Internet Worm Characteristics
Due to a decrease in prevalence, the risk assessment for this threat was lowered to Low.
Due to a decrease in prevalence, the risk assessment for this threat was lowered to Medium.
This threat is detected as New Worm when scanning with the 4144 DATs (or newer) with Program Heuristics enabled. Exact detection is included in the 4191 DATs.
This is a pure mass-mailing worm. It does not carry any other, damaging, payload. The virus sends itself to all users found in the Windows Address book using SMTP. It arrives in an e-mail message containing the following information:
Subject: "Important" or a Japanese subject (see below)
When run, it immediately e-mails itself to all entries in the Windows address book. It does not install itself in any way. It contains the text "I-Worm.Japanize"
It immediately mails itself out and does not manifest itself in any way.
Method Of Infection
Running the EXE manually will cause it to e-mail itself. The virus queries the registry to locate the Windows Address book file. Email addresses are harvested from the WAB file.
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name
The virus then uses the default Internet Account Manager settings to send itself out using the default SMTP server specified in the registry.
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\(Default account id)\SMTP Server
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\(Default account id)\SMTP Email Address
Due to the nature of the email message header created by the virus, it EXE attachment may arrive corrupted and non-functional.