Buggy virus bounds round the Net
Published: 14 Mar 2002 12:01 GMT
An email virus that is believed to have originated in Japan has been propagating around the Internet on Thursday morning, infecting thousands of computers.
The FBound-C virus is very similar to the FBound-A and FBound-B viruses, said Alex Shipp, senior antivirus technologist at email outsourcing firm Messagelabs, which operates a virus scanning service for its customers. "It's just different enough to get past signature scanners," he told ZDNet UK.
However, Shipp added, antivirus companies are updating their signature files, and the fact that the virus was first discovered at 2:00 a.m. GMT means that companies and individuals in Europe, Africa and America should have time to update their software. "So although we've seen lot of copies this morning, we expect to see it nipped in the bud," said Shipp.
Antivirus firms say the virus is likely to have originated in Japan, or at least seems to be targeting Japanese users. "We started seeing it arrive from the Asia Pacific region," said Shipp. "First Japan, then China and Hong Kong."
Graham Cluley of antivirus company Sophos agreed. "Most viruses are monolingual," said Cluley. "This can make people less likely to open them. If you receive a virus from Belgium with a Belgian subject line, you're going to be more suspicious." FBound.C, said Cluley, was written in such a way that if it believes the recipient is in Japan it adds a Japanese subject line. Otherwise, the subject line says in English: "Important".
The virus is contained in an attachment called patch.exe, presumably designed to make people click on it believing that it is a software patch, said Cluley. "They're exploiting people's paranoia," he said. "But people really should have learnt by now not to click on email attachments. They should go to software companies for patches."
Shipp noted that the virus does not rate highly in the social engineering stakes, "but it seems to be doing quite well anyway." Within eight hours of first detecting the virus, Messagelabs had caught more than 2,000 copies. This indicates that the virus is spreading faster than the recent Myparty virus.
Both Cluley and Shipp said the virus does not appear to be dangerous; it simply emails itself onwards. "It does not have a destructive payload," said Cluley. "It doesn't change the registry settings, but it does have a bug so that when it mails itself on it can bounce back or arrive in a non-working truncated form."
Sophos has posted a patch on its Web site.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
68 out of 134 people found this useful
- Share this article:
