Trend Micro Virus Alert: WORM_FANBOT.F

Discussion in 'malware problems & news' started by Randy_Bell, Oct 22, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Over the past five days, we have seen six variants of FANBOT, a new family of worms. Although none have progressed very far, researchers at Trend Micro are paying particular attention to this new threat because of the potential these early variants have shown to propagate and successfully exploit a serious vulnerability that can be utilized to grant a malicious user complete access to the user’s system. Such access can be used to launch malicious attacks, install rogue software, and steal personal information. Future variants may also have the ability to spread rapidly and include additional functionality.

    The FANBOT family utilizes the base code of the MYTOB family, in addition to added functionality that exploits the MS05-039 (“Plug-and-Play”) vulnerability announced in August. The author has also added the capability for this worm to propagate via P2P or file-sharing networks, in addition to more traditional email spam methods. This family also incorporates the use of the following mock error message, when the user clicks on the file attachment:

    The file could not be opened!

    Launching the attached file actually executes the worm, but the message box disguises this fact by creating the illusion that the email was in fact legitimate.

    The FANBOT family of worms does not appear to be developed by any of the MYTOB groups, but likely is the creation of a different individual. In fact, Trend Micro believes there may be a new underground war starting, evidenced by the statement made in some of the FANBOT variants that the MYTOB author “is an idiot!!!".

    Security experts at Trend Micro recommend that users take the following measures to protect against the FANBOT family of malware as well as other attacks:

    * Ensure your system is patched with the most current Microsoft system update
    * Ensure your antivirus definitions are updated
    * Trend Micro offers HouseCall, a free virus scanning service, available at
    * Existing Trend Micro customers can also utilize the network virus wall and vulnerability assessment modules*, which are built into most of our products, to help keep their system updated
    *The Network Viruswall (NVW) pattern stops this worm from spreading throughout the network and infecting other machines. A network that is protected by the NVW pattern is assured that any presence of the code at the network layer is immediately filtered out before it causes any damage. The Vulnerability Assessment (VA) pattern detects all machines in the network that have not been patched against the vulnerability exploited by these worms. This enables system administrators to be notified immediately of machines that require protection and to take necessary actions to assure that damage is not magnified on a network-wide scale.

    If you would like to scan your computer for WORM_FANBOT.F, or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:

    For additional information about WORM_FANBOT.F please visit:
Thread Status:
Not open for further replies.