McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Zircon.c (AVP)

• W32.Dotjaypee@mm (NAV)

• W32.Impo@mm (NAV)

• W32/FBound-C (Sophos)

• W32/FBound.C@mm (FProt)

• Win32.Fbound.C (CA)

• WORM_FBOUND.B (Trend)

• WORM_JAPANIZE.A (Trend)

Characteristics

-- Update 4/03/2002 --
Due to a decrease in prevalence, the risk assessment for this threat was lowered to Low.

-- Update 3/19/2002 --
Due to a decrease in prevalence, the risk assessment for this threat was lowered to Medium.

This threat is detected as New Worm when scanning with the 4144 DATs (or newer) with Program Heuristics enabled. Exact detection is included in the 4191 DATs.

This is a pure mass-mailing worm. It does not carry any other, damaging, payload. The virus sends itself to all users found in the Windows Address book using SMTP. It arrives in an e-mail message containing the following information:

Subject: "Important" or a Japanese subject (see below)
Body: [empty]
Attachment: patch.exe

Possible Japanese subject lines are as follows:

When run, it immediately e-mails itself to all entries in the Windows address book. It does not install itself in any way. It contains the text "I-Worm.Japanize"

Symptoms

It immediately mails itself out and does not manifest itself in any way.

Method of Infection

Running the EXE manually will cause it to e-mail itself. The virus queries the registry to locate the Windows Address book file. Email addresses are harvested from the WAB file.

• HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name

The virus then uses the default Internet Account Manager settings to send itself out using the default SMTP server specified in the registry.

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\(Default account id)\SMTP Server
• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\(Default account id)\SMTP Email Address

Due to the nature of the email message header created by the virus, it EXE attachment may arrive corrupted and non-functional.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Fbound.b@MM

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Zircon.c (AVP)

• W32.Dotjaypee@mm (NAV)

• W32.Impo@mm (NAV)

• W32/FBound-C (Sophos)

• W32/FBound.C@mm (FProt)

• Win32.Fbound.C (CA)

• WORM_FBOUND.B (Trend)

• WORM_JAPANIZE.A (Trend)

Characteristics

Characteristics -

-- Update 4/03/2002 --
Due to a decrease in prevalence, the risk assessment for this threat was lowered to Low.

-- Update 3/19/2002 --
Due to a decrease in prevalence, the risk assessment for this threat was lowered to Medium.

This threat is detected as New Worm when scanning with the 4144 DATs (or newer) with Program Heuristics enabled. Exact detection is included in the 4191 DATs.

This is a pure mass-mailing worm. It does not carry any other, damaging, payload. The virus sends itself to all users found in the Windows Address book using SMTP. It arrives in an e-mail message containing the following information:

Subject: "Important" or a Japanese subject (see below)
Body: [empty]
Attachment: patch.exe

Possible Japanese subject lines are as follows:

When run, it immediately e-mails itself to all entries in the Windows address book. It does not install itself in any way. It contains the text "I-Worm.Japanize"

Symptoms

Symptoms -

It immediately mails itself out and does not manifest itself in any way.

Method of Infection

Method of Infection -

Running the EXE manually will cause it to e-mail itself. The virus queries the registry to locate the Windows Address book file. Email addresses are harvested from the WAB file.

• HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name

The virus then uses the default Internet Account Manager settings to send itself out using the default SMTP server specified in the registry.

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\(Default account id)\SMTP Server
• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\(Default account id)\SMTP Email Address

Due to the nature of the email message header created by the virus, it EXE attachment may arrive corrupted and non-functional.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Fbound.b@MM