F-Secure Virus Descriptions : Frethem
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
There are 12 different variants of Frethem worm known so far
(A-L). The K and L variants of the worm became widespread in the
middle of July 2002. See the description of these variants below.
Frethem is a mass-mailer worm that started to spread on June
11th. The worm arrives in an e-mail as an attachment. When the
attachment is opened it copies itself to the user's Startup
folder as 'setup.exe'. After the installation it collects e-mail
addresses from the Windows Address Book and files with '*.DBX'
extensions. It uses it's own SMTP engine to send infected
messages. All the information needes to send e-mail is collected
from the registry. The worm uses the user's account data that
includes the SMTP server name, e-mail address, etc. This way the
infected message will look like it was sent by the user.
The message sent by Freethem.A looks like this:
Subject: Re: Do your Windows looks like Windows XP?
I have found very nice desktop themes!
Body:
Hello!
Do you like modern design of new Windows XP?! I have found FREE
and easy to use desktop themes!
You can open attach with web site and samples! Enjoy it!!!
Attachment: www.freethemes.com
Messages sent by Freethem.E look like this:
This variant uses one MIME vulnerabilty in Internet Explorer to
execute the attachment automatically when the e-mail is opened.
This vulnerability is fixed and a patch for it is available on
Microsoft site:
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
Removal Instructions
The above described variants of Frethem copy themselves to the
user's startup folder as 'setup.exe' and introduce no other
changes in the system configuration. This makes the removal easy.
The worm's process can be killed from the task manager, the
process is called 'Setup'. After this the worm can be deleted
from the Startup folder.
Detection of Frethem.E worm in F-Secure Anti-Virus was published
on June 13th, 2002:
[FSAV_Database_Version]
Version=2002-06-13_02
Frethem.K is a new variant of Frethem worm that appeared in the
middle of July 2002. This worm variant is close to Frethem.E
variant, but it has some additional features. The worm's file is
packed with PE-Pack and UPX file compressors and is about 47
kilobytes long.
The worm sends itself from an infected computer as with the
following message:
Subject:
Re: Your password!
Body:
ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
(<infected user name>)
Attachment:
decrypt-password.exe
password.txt
The executable attachment contains the worm's body. The
'password.txt' attachment contains the following text:
Your password is W8dqwq8q918213
The worm installs itself to system as TASKBAR.EXE and creates a
startup key in System Registry to make this file start every time
a user logs on. Also the worm copies itself as SETUP.EXE to
\Start Menu\Programs\Startup\ folder.
To remove the worm from a system, all its files should be
deleted. Also it is recommended to delete all infected messages
from e-mail databases and to apply the latest security patches to
Microsoft e-mail browsers.
Detection of Frethem.K worm in F-Secure Anti-Virus was published
on July 15th, 2002:
[FSAV_Database_Version]
Version=2002-07-15_03
Frethem.L is another new variant of Frethem worm that appeared in
the middle of July 2002. This worm variant is very close to
Frethem.K variant. The worm's file is packed with PE-Pack and UPX
file compressors and is about 48 kilobytes long. The worm sends
itself the same way that the Frethem.K variant does, see the
description above.
Detection of Frethem.L worm in F-Secure Anti-Virus was published
on July 15th, 2002:
[FSAV_Database_Version]
Version=2002-07-15_03
[Analysis: G. Erdelyi, A. Podrezov; F-Secure Corp.; June 13th - July 15th, 2002]
|
