Content
W32/Frethem.k@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 07/12/2002
- Length
- 47,616 bytes
- Minimum DAT
- 4208 (06/19/2002)
- Updated DAT
- 4238 (12/18/2002)
- Minimum Engine
- 5.1.00
- Description Added
- 07/13/2002
- Description Modified
- 11/12/2002 4:34 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
This W32/Frethem variant has gotten some media attention due to the fact that it was accidentally sent to a well-known anti-virus mailing list (not by an anti-virus company) and most anti-virus products did not detect it at that time. McAfee products were the exception as the DAT files that were released more than three weeks prior to this mailing contained generic W32/Frethem detection, which protected its users well before the release/creation of this threat.
This W32/Frethem variant is detected as W32/Frethem.gen@MM with the 4208 DATs, or higher, when scanning compressed files with the current scan engine. Specific detection of this variant, W32/Frethem.k@MM, will be included in the 4212 weekly dat release.
This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), the Windows Address Book (.WAB file), .MBX, .EML, and .MDB files to send itself via SMTP using the following information:
Subject: Re: Your password!
Body: ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems. The exe file copies itself to the %WinDir% directory and creates the following registry run keys so that it runs each time Windows is loaded.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
Accounts\00000001
The worm hooks Internet Explorer to send requests to various websites:
- http://12.224.160.208/b.cgi
- http://12.225.239.153/b.cgi
- http://12.252.211.170/b.cgi
- http://128.173.231.167/b.cgi
- http://129.120.117.218/b.cgi
- http://140.158.208.167/b.cgi
- http://143.111.86.30/b.cgi
- http://147.26.215.144/b.cgi
- http://170.11.31.35/b.cgi
- http://207.171.103.126/b.cgi
- http://209.192.135.22/b.cgi
- http://213.190.55.222/b.cgi
- http://24.138.42.1/b.cgi
- http://24.153.41.186/b.cgi
- http://24.157.108.78/b.cgi
- http://24.159.28.120/b.cgi
- http://24.24.128.16/b.cgi
- http://24.242.106.163/b.cgi
- http://24.91.146.67/b.cgi
- http://24.91.187.71/b.cgi
- http://4.47.227.27/b.cgi
- http://63.231.167.66/b.cgi
- http://63.71.246.234/b.cgi
- http://64.211.174.43/b.cgi
- http://65.25.12.45/b.cgi
- http://66.31.193.42/b.cgi
- http://66.31.93.30/b.cgi
- http://66.68.22.102/b.cgi
- http://68.35.125.130/b.cgi
- http://68.42.253.163/b.cgi
- http://68.57.88.25/b.cgi
Symptoms
- Presence of the file %WinDir%\Taskbar.exe
- Presence of the file %WinDir%\Winstat.ini
Method of Infection
This worm exploits an Internet Explorer vulnerability to automatically run on unpatched systems. Once run, the worm sends itself to email addresses found on the local system.
Removal
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
- Restart the computer in safe mode
- Delete the following files
- %WinDir%\Taskbar.exe
- %WinDir%\Winstat.ini
- Delete the registry key values
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.Frethem.J@mm (Symantec)
- W32/Frethem.gen@MM (NAI)
- WORM_FRETHEM.J (TrendMicro)
Characteristics
Characteristics -
This W32/Frethem variant has gotten some media attention due to the fact that it was accidentally sent to a well-known anti-virus mailing list (not by an anti-virus company) and most anti-virus products did not detect it at that time. McAfee products were the exception as the DAT files that were released more than three weeks prior to this mailing contained generic W32/Frethem detection, which protected its users well before the release/creation of this threat.
This W32/Frethem variant is detected as W32/Frethem.gen@MM with the 4208 DATs, or higher, when scanning compressed files with the current scan engine. Specific detection of this variant, W32/Frethem.k@MM, will be included in the 4212 weekly dat release.
This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), the Windows Address Book (.WAB file), .MBX, .EML, and .MDB files to send itself via SMTP using the following information:
Subject: Re: Your password!
Body: ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems. The exe file copies itself to the %WinDir% directory and creates the following registry run keys so that it runs each time Windows is loaded.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
Accounts\00000001
The worm hooks Internet Explorer to send requests to various websites:
- http://12.224.160.208/b.cgi
- http://12.225.239.153/b.cgi
- http://12.252.211.170/b.cgi
- http://128.173.231.167/b.cgi
- http://129.120.117.218/b.cgi
- http://140.158.208.167/b.cgi
- http://143.111.86.30/b.cgi
- http://147.26.215.144/b.cgi
- http://170.11.31.35/b.cgi
- http://207.171.103.126/b.cgi
- http://209.192.135.22/b.cgi
- http://213.190.55.222/b.cgi
- http://24.138.42.1/b.cgi
- http://24.153.41.186/b.cgi
- http://24.157.108.78/b.cgi
- http://24.159.28.120/b.cgi
- http://24.24.128.16/b.cgi
- http://24.242.106.163/b.cgi
- http://24.91.146.67/b.cgi
- http://24.91.187.71/b.cgi
- http://4.47.227.27/b.cgi
- http://63.231.167.66/b.cgi
- http://63.71.246.234/b.cgi
- http://64.211.174.43/b.cgi
- http://65.25.12.45/b.cgi
- http://66.31.193.42/b.cgi
- http://66.31.93.30/b.cgi
- http://66.68.22.102/b.cgi
- http://68.35.125.130/b.cgi
- http://68.42.253.163/b.cgi
- http://68.57.88.25/b.cgi
Symptoms
Symptoms -
- Presence of the file %WinDir%\Taskbar.exe
- Presence of the file %WinDir%\Winstat.ini
Method of Infection
Method of Infection -
This worm exploits an Internet Explorer vulnerability to automatically run on unpatched systems. Once run, the worm sends itself to email addresses found on the local system.
Removal -
Removal -
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
- Restart the computer in safe mode
- Delete the following files
- %WinDir%\Taskbar.exe
- %WinDir%\Winstat.ini
- Delete the registry key values
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
