There are 12 different variants of Frethem worm known so far (A-L). The K and L variants of the worm became widespread in the middle of July 2002. See the description of these variants below.
The above described variants of Frethem copy themselves to the user's startup folder as 'setup.exe' and introduce no other changes in the system configuration. This makes the removal easy. The worm's process can be killed from the task manager, the process is called 'Setup'. After this the worm can be deleted from the Startup folder.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Frethem is a mass-mailer worm that started to spread on June 11th. The worm arrives in an email as an attachment. When the attachment is opened it copies itself to the user's Startup folder as 'setup.exe'. After the installation it collects email addresses from the Windows Address Book and files with '*.DBX' extensions. It uses it's own SMTP engine to send infected messages. All the information needes to send email is collected from the registry. The worm uses the user's account data that includes the SMTP server name, email address, etc. This way the infected message will look like it was sent by the user.
The message sent by Freethem.A looks like this:
Subject: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes! Body: Hello! Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes! You can open attach with web site and samples! Enjoy it!!! Attachment: www.freethemes.com
Messages sent by Freethem.E look like this:
This variant uses one MIME vulnerabilty in Internet Explorer to execute the attachment automatically when the email is opened. This vulnerability is fixed and a patch for it is available on Microsoft site:
Frethem.K is a new variant of Frethem worm that appeared in the middle of July 2002. This worm variant is close to Frethem.E variant, but it has some additional features. The worm's file is packed with PE-Pack and UPX file compressors and is about 47 kilobytes long.
The worm sends itself from an infected computer as with the following message:
Re: Your password!
ATTENTION! You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancel ([infected user name])
The executable attachment contains the worm's body. The 'password.txt' attachment contains the following text:
Your password is W8dqwq8q918213
The worm installs itself to system as TASKBAR.EXE and creates a startup key in System Registry to make this file start every time a user logs on. Also the worm copies itself as SETUP.EXE to \Start Menu\Programs\Startup\ folder.
To remove the worm from a system, all its files should be deleted. Also it is recommended to delete all infected messages from email databases and to apply the latest security patches to Microsoft email browsers.
Frethem.L is another new variant of Frethem worm that appeared in the middle of July 2002. This worm variant is very close to Frethem.K variant. The worm's file is packed with PE-Pack and UPX file compressors and is about 48 kilobytes long. The worm sends itself the same way that the Frethem.K variant does, see the description above.