An e-mail promising to reveal secret information with a password is nothing more than a pesky worm. Frethem, technically known as Frethem.e (w32.frethem.e@mm, also known as Frethem.d and Frethem.f by some vendors), uses its own SMTP engine to send e-mail using addresses obtained from infected systems. Mac and Linux users are not affected. Because Frethem only spreads by e-mail and does not cause any data damage, this worm rates a 4 on the ZDNet Virus Meter.
How it works
Frethem arrives as an e-mail with the subject line "Re: Your password!"
The body text of the e-mail reads:
- ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The attached file is either decrypt-password.exe or password.txt.
According to various antivirus vendors, the file, when opened, contains the following text: "Your password is W8dqwq8q918213."
Written in C++, Frethem copies itself to the following directory:
C:\Windows\startmenu\programs\startup\setup.exe
Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached TXT used by Frethem.
The worm uses a known vulnerability in Internet Explorer that was patched last year by Microsoft in MS01-020; if you have not installed this patch, you are urged to do so now. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Frethem.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.
