Home / malware Win32.Fbound.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Fbound.B@mm is also known as W32/Fbound.B.
Explanation :
It arrives through e-mail in the following format:
Subject: Important or a Japanese subject randomly selected from 8 different subjects.
Body: Empty or Password = xxxxxxxx where xxxxxxxx is a random string;
Attachment:
If Body is empty: check.exe
Otherwise important.zip
When the user opens the attachment the worm creates a copy of itself in zip format encrypted with a randomly generated password in the temporary folder. After that it gathers the user e-mail settings from the registry and it scans the Microsoft Outlook Express address book for e-mail addresses sending itself to every address it founds.
If the found address is from a .jp domain it will send itself with Japanese subject otherwise it will use the Important subject.
The worm has a 50% chance to send itself with a password protected zip attachment, in which case the body of the e-mail will be the text:
Password = xxxxxxxx where xxxxxxxx is the password for opening the zip attachment. If the month is April the payload will be triggered.
Payload: It will draw many pixels at random screen locations and it plays an audio clip with a screaming voice.Last update 21 November 2011
