An e-mail message that promises to reveal secret information with a password is a variant from the pesky Frethem worm family. Frethem.k, technically known as w32.frethem.k@mm, also called Frethem.l by some vendors, is a more robust version of Frethem.e, which uses its own SMTP engine to send e-mail using addresses obtained from infected systems. This worm does not carry a destructive payload. Mac and Linux users are not affected. Because Frethem.k spreads only by e-mail and does not damage data, this worm rates a 4 on the ZDNet Virus Meter.
How it works
Frethem.k arrives as an e-mail message similar to that used with Frethem.e: The subject line reads "Re: Your password!" and the body text reads:
- ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
The attached file is either decrypt-password.exe (48K) or password.txt (93K).
When opened, the password.txt file contains the message: "Your password is W8dqwq8q918213."
Frethem.k copies itself to the following directory:
C:\Windows\Start menu\Programs\Startup\setup.exe
The worm then adds Taskbar.exe to the Windows directory and changes the following Registry entry:
Hkey_current_user \Software\Microsoft\Windows \CurrentVersion\RunTask Bar = Windows\taskbar.exe
To use the infected system's default SMTP engine, Frethem looks for the existence of this Registry item:
Hkey_current_user\Software\Microsoft\Internet Account Manager\Accounts\00000001
If account 0000001 does not exist, the worm will not spread. The worm looks in WAB, MBX, EML, and MDB files to cull available addresses to which it sends infected copies of itself. Frethem.k also connects to a series of hard-coded Web addresses, perhaps to earn credit for the number of hits generated.
Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached EXE and TXT files used by Frethem.
The worm uses the Internet Explorer vulnerabilities that automatically execute the worm upon receipt. Fortunately, both the MIME header and IFRAME vulnerabilities have been fixed by Microsoft in MS01-020; if you have not installed this patch, you are urged to do so now. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Frethem.k.
Removal
Several antivirus-software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates,
F-Secure,
McAfee,
Norman,
Sophos,
Symantec, and
Trend Micro.
