Article

Fbound worm a hit in Asia, a flop elsewhere

Edward Hurley, Assistant News Editor

A bilingual worm is making its way from Asia, across the seas to Europe and the Americas.

Fbound.C is a mass-mailing worm that uses addresses from infected systems to spread itself using its own SMTP routines. The worm has the capability to look for Japanese e-mail addresses with the .jp domain and then mails itself to those addresses with various subject lines in Japanese. Non-Japanese addresses just get a subject line of "Important." In either case, the message has no body text and the attached virus is labeled as patch.exe.

FOR MORE INFORMATION

    Requires Free Membership to View

See this searchSecurity exclusive, "Where have all the high-profile viruses and worms gone?"

See this searchSecurity exclusive, "Gibe worm appears as Microsoft alert"

Best Web Links on malicious code

Virus watchers first saw Fbound.C spreading at approximately 2 a.m. GMT today in Japan, Taiwan and Hong Kong, said Alex Shipp, senior antivirus technologist with MessageLabs, a UK-based Managed Service Provider (MSP) specializing in e-mail content filtering. As of 10:30 a.m. EST today, MessageLabs had tracked 3,156 copies of the worm with sightings in 63 countries. But it doesn't appear to be spreading so well in Europe and North America, he said.

The multiple subject lines in Japanese may work as a social engineering technique in Japan, but the one-word "Important" subject line for English addresses isn't compelling social engineering, Shipp said. The blank body text and patch.exe label is obviously quite suspicious, he said.

Fbound.C is sent as a single encoded line, several thousand characters in length. This could fool some gateway security systems to allow it through as those systems scan only the first 2000 characters, Shipp said. Conversely, some e-mail gateways may lop part of the worm off and render it harmless.

The ability to tailor viruses to different languages is a troublesome development, said Steven Sundermeier, product manager with the Medina, Ohio-based Central Command. Instead of being localized in Asia or Germany, for example, viruses could potentially modify themselves to use local languages to target people.

The way Fbound.C replicates itself is not unique, Sundermeier said. It doesn't modify the system or copy itself in order to complete its mission. For example, other worms have to change any registry keys to spread, he said.

Earlier this month, Fbound.A and Fbound.B made the rounds but they didn't make much noise at all. "It appears the writer is trying out some variations," Shipp said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: