Discovered on: March 6, 2002
Last Updated on: March 7, 2002 at 09:03:23 AM PST

W32.Simile is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It infects files in folders on all fixed and remote drives that are mapped at the time that the virus is executed. The virus contains no destructive payload, but infected files may display messages on certain dates.


Alias: WORM_CRYPTZ.A , W32/Fbound.a@MM , Win32/ZCrypt.Worm
Category: Win32
Type: Worm
Fbound is a worm spreading via the e-mail system.
The worm arrives in a message with the Subject line:
The message body is blank and the attached file is called:
When the attachment is executed the worm obfuscates the screen:


Virus Information
Discovery Date: 03/07/2002
Origin: Unknown
Length: 30,720 bytes (UPX packed)
Type: Virus
SubType: E-mail

Virus Characteristics
This mass-mailing worm written in Visual Basic 6 uses Microsoft Outlook to send itself to all addresses in the Outlook Address book. It arrives in an email containing the following information:

Subject: my life ohhhhhhhhhhhhh
Attachment: MY LIFE.SCR

The attachment is a UPX packed PE file. When executed on the local machine, the following image is displayed whilst the worm copies itself to the System folder, and uses Outlook to propagate itself to all address found in the Outlook Address book: