New "Japanize" Worm

A mass-mailing worm spreading across the Internet Thursday has no malicious code or payload, but it did play on people's need for security protection, much like last week's fake Microsoft patch.

by Michael Singer of siliconvalley.internet.com [March 15, 2002]

And that is what has anti-virus experts with Anti-Virus Emergency Response Team (AVERT) and others worried.

The The "I-Worm.Japanize" (or W32/Fbound.c@MM) worm has earned itself a "Medium On-Watch" designation due to the numerous reports of infections and the virus' potential to spread itself quickly to other users.

"Technically, this is not an infection since there is no payload," says McAfee.com and AVERT virus researcher April Goostree. "There was no Trojan horse or back door program included with it. This could have been a lot worse, but we released extra DATs at midnight last night, which protected our customers this morning. It was amazing how hard it hit Japan.

According to early statistics, the worm covered a fairly large percentage of the country's computers in a short amount of time. McAfee.com says it is monitoring the situation as it progresses.

"Even though this worm had a .EXE attachment, which traditionally we have warned people about, people were opening it because it promised a security upgrade," says Goostree.

The worm arrives in an e-mail message containing the Subject line: "Important" or for addresses ending in .jp there is one of 16 Japanese randomly chosen language subjects. The attachment reads: Patch.exe

The mass-mailing virus sends itself to all users found in the Windows Address book using SMTP.

As for the lack of a dangerous payload, experts doubt this is a case of script kiddies.

"We may never know," says Goostree. "This may be an overzealous hacker that released the virus before thinking it through. But this does serve as a warning for future attacks to not open an unknown file without checking the source first."

— End