|  IP: Logged

I read all my email on the web server, and never download it unless I scan it first. Opening email for reading only when it is on its web server will not get you a virus, but opening any kind of attachment will do that. Also do not ever use a program that requires you to download your email onto your computer. Always use web server based email accounts that keep you safe.

 |  IP: Logged

 |  IP: Logged

HTML based email is schtupid, and MS is a primary promoter of it. If someone wants to mail me and can't say what they want to say in simple words and jpegs, then I have a problem. I could rant on for hours about Outrageous and Outrageous Expectorate, but no one would listen. Never open attachments unless you know what the file extension can do.

Fbound.C Worm

Virus Description




Related Resources
• Virus Encyclopedia
• Glossary of terms






Elsewhere on the Web
• F-Secure Description
• Sophos Description
• MessageLabs ThreatList




Talk about things that go bump in the night... While the majority of the U.S. was sleeping, a new worm dubbed FBound.C, appeared in the wild and began spreading rapidly. At 3:47 a.m. on March 14, 2002, the Mimesweeper ThreatLab issued a warning to customers noting "early reports of a new mass mailer". Indeed, only 5 hours later, the new worm took over the number 7 spot on the MessageLabs Threatlist and is quite likely to gain an even higher ranking before it's initial debut is over.

According to antivirus vendor F-Secure, the Fbound.C variant is received with no message text, and an attachment named patch.exe. Thus, despite the lack of social engineering normally present in successful email worms, Fbound.C managed to gain a bit of a foothold due to users willing to open most any attachment received in email. In most cases, the subject line of the email message carrying the worm will read "Important". However, if the recipients address contains '.jp' (Japan), the subject line will be randomly composed from a list of 16 different subjects. A sample copy of the email message appears below.

If the attachment is opened, the worm retrieves the user's SMTP server and email adress, loads itself into memory, and then sends itself to addresses found in the Windows Address Book. According to F-Secure, the worm encodes its file into a single line, thus violating RFC regulations for Base64 encoding resulting in some e-mail servers not processing the worm's messages.

Fortunately, there is no malicious payload and the Fbound.C worm does not install itself to the system. Simply rebooting the infected system will remove the worm. It is also advisable to check the temporary folder used by the mail client to make sure any temporary copies created when the attachment was opened are also deleted.

Graham Cluley, Senior Technology Consultant for Sophos Anti-Virus, commenting on the apparent spread of the worm, speculated, "Maybe people are so used to having to apply patches (the Microsoft effect?) that they are less cautious about anything which claims to be an important patch? Maybe because the virus also communicates in Japanese they have been less wary of attachments and so kicked it off (this might make some sense.. As most viruses communicate in English - maybe the Japanese speaking community have had less need to learn safe computing lessons the hard way)." Graham also noted that the worm was "not travelling as fast, and hasn't infected as many people, as a Nimda or a Goner or a Badtrans."

Antivirus software updated on or after March 14, 2002 can detect this worm.

 |  IP: Logged

 |  IP: Logged

For more information on sulfnbk.exe see the Microsoft Knowledgebase article Q301316.

The real fix here is not to use poorly designed mail software, such as MS Outlook. Also, as Jerry said, HTML mail is evil.

 |  IP: Logged

 |  IP: Logged