Japanese speaking worm spreading in the wild - Sophos issues protection

March 14, 2002 Sophos Press Release

Sophos, a world leader in corporate anti-virus protection, is warning users to be wary of the new Bound worm (also known as W32/FBound-C) currently spreading in the wild. Sophos has received several reports of this worm from users, many of the early sightings coming from Asia.

The internet worm arrives as an email with the subject line 'Important' and has an attached file called 'Patch.exe'. Once activated, the worm forwards itself to everyone in the victim's email address book using its own SMTP routines.

When sending itself to an email address ending in .jp, the worm uses one of sixteen different subject lines - written in Japanese characters. This is a deliberate attempt to strike users in Japan as well as the English speaking world.

"By pretending to be a security patch, this worm uses a tried and tested psychological trick to spread itself," said Graham Cluley, senior technology consultant at Sophos Anti-Virus. "The Bound worm is multilingual - unlike many viruses it can switch languages depending on who it is being sent to. This gives it the ability to cross international boundaries without creating suspicion."