A bilingual worm is making its way from Asia, across the seas to Europe and the Americas.
Fbound.C is a mass-mailing worm that uses addresses from infected systems to spread itself using its own SMTP routines. The worm has the capability to look for Japanese e-mail addresses with the .jp domain and then mails itself to those addresses with various subject lines in Japanese. Non-Japanese addresses just get a subject line of "Important." In either case, the message has no body text and the attached virus is labeled as patch.exe.
Virus watchers first saw Fbound.C spreading at approximately 2 a.m. GMT today in Japan, Taiwan and Hong Kong, said Alex Shipp, senior antivirus technologist with MessageLabs, a UK-based Managed Service Provider (MSP) specializing in e-mail content filtering. As of 10:30 a.m. EST today, MessageLabs had tracked 3,156 copies of the worm with sightings in 63 countries. But it doesn't appear to be spreading so well in Europe and North America, he said.
The multiple subject lines in Japanese may work as a social engineering technique in Japan, but the one-word "Important" subject line for English addresses isn't compelling social engineering, Shipp said. The blank body text and patch.exe label is obviously quite suspicious, he said.
Fbound.C is sent as a single encoded line, several thousand characters in length. This could fool some gateway security systems to allow it through as those systems scan only the first 2000 characters, Shipp said. Conversely, some e-mail gateways may lop part of the worm off and render it harmless.
The ability to tailor viruses to different languages is a troublesome development, said Steven Sundermeier, product manager with the Medina, Ohio-based Central Command. Instead of being localized in Asia or Germany, for example, viruses could potentially modify themselves to use local languages to target people.
The way Fbound.C replicates itself is not unique, Sundermeier said. It doesn't modify the system or copy itself in order to complete its mission. For example, other worms have to change any registry keys to spread, he said.
Earlier this month, Fbound.A and Fbound.B made the rounds but they didn't make much noise at all. "It appears the writer is trying out some variations," Shipp said.