Content
W32/Frethem.l@MM
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 07/14/2002
- Length
- 48,640
- Minimum DAT
- 4212 (07/15/2002)
- Updated DAT
- 4238 (12/18/2002)
- Minimum Engine
- 5.1.00
- Description Added
- 07/15/2002
- Description Modified
- 11/12/2002 4:31 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
Detection of this variant, W32/Frethem.l@MM, was be included in the 4212 dat release. Gateway scanners will detect W32/Frethem.l@MM email messages as Exploit-MIME.gen or Exploit-MIME.gen.b when using the 4178 DATs or higher.
This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), the Windows Address Book (.WAB file), .MBX, .EML, and .MDB files to send itself via SMTP using the following information:
Subject: Re: Your password!
Body: ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems. The exe file copies itself to the %WinDir% directory and creates the following registry run keys so that it runs each time Windows is loaded.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
Accounts\00000001
The worm hooks Internet Explorer to send requests to various websites.
The PASSWORD.TXT file the virus sends simply contains the text:- Your password is W8dqwq8q918213
Symptoms
- Presence of the file %WinDir%\Taskbar.exe
- Presence of the file %WinDir%\Winstat.ini
Method of Infection
This worm exploits an Internet Explorer vulnerability to automatically run on unpatched systems. Once run, the worm sends itself to email addresses found on the local system.
Removal
All Windows Users
:
Use current engine and DAT files
for detection and removal.
The DAT files will detect and remove the infected .EXE file(s) and the associated registry run key from an infected system. Users may also choose to delete the non-viral text files created by this worm:
- %WinDir%\Winstat.ini
- Password.txt
Manual Removal Instructions (when not using our products)
- Restart the computer in safe mode
- Delete the following files
- %WinDir%\Taskbar.exe
- %WinDir%\Winstat.ini
- Delete the registry key value
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
- Delete the registry key
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
Detection of this variant, W32/Frethem.l@MM, was be included in the 4212 dat release. Gateway scanners will detect W32/Frethem.l@MM email messages as Exploit-MIME.gen or Exploit-MIME.gen.b when using the 4178 DATs or higher.
This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), the Windows Address Book (.WAB file), .MBX, .EML, and .MDB files to send itself via SMTP using the following information:
Subject: Re: Your password!
Body: ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems. The exe file copies itself to the %WinDir% directory and creates the following registry run keys so that it runs each time Windows is loaded.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
Accounts\00000001
The worm hooks Internet Explorer to send requests to various websites.
The PASSWORD.TXT file the virus sends simply contains the text:- Your password is W8dqwq8q918213
Symptoms
Symptoms -
- Presence of the file %WinDir%\Taskbar.exe
- Presence of the file %WinDir%\Winstat.ini
Method of Infection
Method of Infection -
This worm exploits an Internet Explorer vulnerability to automatically run on unpatched systems. Once run, the worm sends itself to email addresses found on the local system.
Removal -
Removal -
All Windows Users
:
Use current engine and DAT files
for detection and removal.
The DAT files will detect and remove the infected .EXE file(s) and the associated registry run key from an infected system. Users may also choose to delete the non-viral text files created by this worm:
- %WinDir%\Winstat.ini
- Password.txt
Manual Removal Instructions (when not using our products)
- Restart the computer in safe mode
- Delete the following files
- %WinDir%\Taskbar.exe
- %WinDir%\Winstat.ini
- Delete the registry key value
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
- Delete the registry key
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
