Content
W32/Frethem.f@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 06/07/2002
- Length
- 35,840 bytes
- Minimum DAT
- 4207 (06/12/2002)
- Updated DAT
- 4245 (01/29/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 06/11/2002
- Description Modified
- 07/13/2002 4:47 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update 6/12/2002 --
The risk assessment of this threat was modified to Low-Profiled as this virus is now in the news.
This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), and the Windows Address Book (.WAB file) to send itself via SMTP using the following information:
Subject: Re: Your password!
Body: ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems. The exe file copies itself to \Start Menu\Programs\Startup\setup.exe so that it runs each time Windows is loaded. The default SMTP Server, SMTP Email Address, and SMTP Display Name are gathered from the Internet Account Manager:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
Accounts\00000001
The worm hooks Internet Explorer to send requests to various websites. It is believed that intention is to send the referring URL when an infected users visits websites. This may generate revenue for the author via affiliate programs:
- http://12.224.134.35/b.cgi
- http://12.224.7.51/b.cgi
- http://12.225.109.97/b.cgi
- http://12.226.37.205/b.cgi
- http://12.88.91.104/b.cgi
- http://137.204.230.6/b.cgi
- http://144.139.125.223/b.cgi
- http://198.142.106.196/b.cgi
- http://202.189.226.30/b.cgi
- http://213.122.216.147/b.cgi
- http://216.143.56.216/b.cgi
- http://24.112.73.219/b.cgi
- http://24.125.113.9/b.cgi
- http://24.148.20.32/b.cgi
- http://24.153.41.186/b.cgi
- http://24.159.11.226/b.cgi
- http://24.190.219.22/b.cgi
- http://24.192.28.144/b.cgi
- http://24.198.18.192/b.cgi
- http://24.24.8.202/b.cgi
- http://24.31.108.37/b.cgi
- http://24.31.93.181/b.cgi
- http://24.44.189.180/b.cgi
- http://24.52.63.42/b.cgi
- http://24.61.169.219/b.cgi
- http://24.67.234.143/b.cgi
- http://24.81.193.45/b.cgi
- http://24.84.69.131/b.cgi
- http://4.47.166.164/b.cgi
- http://62.194.172.39/b.cgi
- http://62.61.140.100/b.cgi
- http://62.64.231.163/b.cgi
- http://65.16.55.170/b.cgi
- http://65.27.233.102/b.cgi
- http://65.29.240.222/b.cgi
- http://65.32.45.34/b.cgi
- http://66.176.166.16/b.cgi
- http://66.26.6.45/b.cgi
- http://66.31.193.42/b.cgi
- http://66.66.51.175/b.cgi
- http://66.91.64.199/b.cgi
- http://68.100.32.96/b.cgi
- http://68.35.125.130/b.cgi
- http://68.38.178.152/b.cgi
- http://68.46.26.131/b.cgi
- http://68.49.73.246/b.cgi
- http://68.54.50.29/b.cgi
- http://68.63.64.199/b.cgi
- http://68.67.198.125/b.cgi
- http://68.97.35.67/b.cgi
Symptoms
- Presence of the file \Start Menu\Programs\Startup\setup.exe
- Presence of the files %WinDir%\status.ini
- Presence of the files %WinDir%\Win64.ini
- Your password is W8dqwq8q918213
Method of Infection
This worm exploits an Internet Explorer vulnerability to automatically run on unpatched systems. Once run, the worm sends itself to email addresses found on the local system.
Removal
All Windows Users
:
Use current engine and DAT files
for detection and removal.
Manual Removal Instructions
- Restart the computer in safe mode
- Delete the following files
- \Start Menu\Programs\Startup\setup.exe
- %WinDir%\status.ini
- %WinDir%\Win64.ini
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- decrypt-password
- W32.Frethem.E@mm (Symantec)
- WORM_FRETHEM.E (Trend)
Characteristics
Characteristics -
-- Update 6/12/2002 --
The risk assessment of this threat was modified to Low-Profiled as this virus is now in the news.
This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), and the Windows Address Book (.WAB file) to send itself via SMTP using the following information:
Subject: Re: Your password!
Body: ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems. The exe file copies itself to \Start Menu\Programs\Startup\setup.exe so that it runs each time Windows is loaded. The default SMTP Server, SMTP Email Address, and SMTP Display Name are gathered from the Internet Account Manager:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
Accounts\00000001
The worm hooks Internet Explorer to send requests to various websites. It is believed that intention is to send the referring URL when an infected users visits websites. This may generate revenue for the author via affiliate programs:
- http://12.224.134.35/b.cgi
- http://12.224.7.51/b.cgi
- http://12.225.109.97/b.cgi
- http://12.226.37.205/b.cgi
- http://12.88.91.104/b.cgi
- http://137.204.230.6/b.cgi
- http://144.139.125.223/b.cgi
- http://198.142.106.196/b.cgi
- http://202.189.226.30/b.cgi
- http://213.122.216.147/b.cgi
- http://216.143.56.216/b.cgi
- http://24.112.73.219/b.cgi
- http://24.125.113.9/b.cgi
- http://24.148.20.32/b.cgi
- http://24.153.41.186/b.cgi
- http://24.159.11.226/b.cgi
- http://24.190.219.22/b.cgi
- http://24.192.28.144/b.cgi
- http://24.198.18.192/b.cgi
- http://24.24.8.202/b.cgi
- http://24.31.108.37/b.cgi
- http://24.31.93.181/b.cgi
- http://24.44.189.180/b.cgi
- http://24.52.63.42/b.cgi
- http://24.61.169.219/b.cgi
- http://24.67.234.143/b.cgi
- http://24.81.193.45/b.cgi
- http://24.84.69.131/b.cgi
- http://4.47.166.164/b.cgi
- http://62.194.172.39/b.cgi
- http://62.61.140.100/b.cgi
- http://62.64.231.163/b.cgi
- http://65.16.55.170/b.cgi
- http://65.27.233.102/b.cgi
- http://65.29.240.222/b.cgi
- http://65.32.45.34/b.cgi
- http://66.176.166.16/b.cgi
- http://66.26.6.45/b.cgi
- http://66.31.193.42/b.cgi
- http://66.66.51.175/b.cgi
- http://66.91.64.199/b.cgi
- http://68.100.32.96/b.cgi
- http://68.35.125.130/b.cgi
- http://68.38.178.152/b.cgi
- http://68.46.26.131/b.cgi
- http://68.49.73.246/b.cgi
- http://68.54.50.29/b.cgi
- http://68.63.64.199/b.cgi
- http://68.67.198.125/b.cgi
- http://68.97.35.67/b.cgi
Symptoms
Symptoms -
- Presence of the file \Start Menu\Programs\Startup\setup.exe
- Presence of the files %WinDir%\status.ini
- Presence of the files %WinDir%\Win64.ini
- Your password is W8dqwq8q918213
Method of Infection
Method of Infection -
This worm exploits an Internet Explorer vulnerability to automatically run on unpatched systems. Once run, the worm sends itself to email addresses found on the local system.
Removal -
Removal -
All Windows Users
:
Use current engine and DAT files
for detection and removal.
Manual Removal Instructions
- Restart the computer in safe mode
- Delete the following files
- \Start Menu\Programs\Startup\setup.exe
- %WinDir%\status.ini
- %WinDir%\Win64.ini
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
