New e-mail worm shifts language for recipients

March 15, 2002

(IDG) — In an announcement Thursday, antivirus software and security company Central Command Inc. in Medina, Ohio, said the multilingual Internet worm, called "W32/Fbound.C," is spreading rapidly around the globe by infecting address books in Microsoft Outlook and automatically sending itself out to all e-mail addresses it finds.

It's a typical worm in that it replicates in Outlook and sends itself out but is unique in being able to determine if an address it finds uses the ".jp" top-level domain name for Japan, said Steven Sundermeier, product manager at Central Command. "It's actually language aware," he said. "It is something kind of new."

Users of other e-mail applications aren't affected by this worm, he said.

The message sent to unknowing recipients includes a subject heading that says "Important" in English or in one of 16 messages in Japanese, according to Central Command's posting. Also included is a file attachment called patch.exe. If executed by the recipient, the worm launches the e-mails to the Outlook address book entries but doesn't make file or Windows registry changes. No malicious payload is dumped into a user's computer.

"To an unknowing English-speaking user, the attachment appeared as another security patch," Sundermeier said. The potential problem, though, is that the worm could be modified by another attacker and transformed into a destructive worm.

Since being introduced earlier today, the worm has spread around the globe, causing thousands of infections so far, Sundermeier said. "If something this ordinary and plain can be so prolific, with a little 'social engineering,' it could go a long way" to cause problems, he said.

Antivirus updates to protect against the worm have been posted by several software vendors, including Central Command and McAfee.

Source: http://www.cnn.com/