W32/Frethem-Fam Worm

Discussion in 'malware problems & news' started by Paul Wilders, Jun 12, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Name: W32/Frethem-Fam
    Type: Win32 worm
    Date: 12 June 2002

    Sophos has received several reports of this worm from the wild.

    Description:

    W32/Frethem-Fam is a family of email-aware worms.

    At the time of writing, Sophos is aware of six variants of
    W32/Frethem, all of which are detected by this identity.

    Read the analysis at:

    www.sophos.com/virusinfo/analyses/w32frethemfam.html
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Some additional info:

    One variant has been reported from the wild. It arrives in an
    email with the following characteristics:

    Subject line: Re: Your password!
    Message text:

    ATTENTION!

    You can access
    very important
    information by
    this password

    DO NOT SAVE
    password to disk
    use your mind

    now press
    cancel

    Attached files: decrypt-password.exe, password.txt

    W32/Frethem is contained in the attached EXE file, which
    attempts to exploit an Outlook bug in order to run automatically when the mail is read.

    The file password.txt is not infectious -- it just contains the
    text:

    Your password is W8dqwq8q918213
     
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Analysis of W32/Frethem.F@mm from CommandSoftware:

    Name: W32/Frethem.F@mm
    Aliases: W32.Frethem.E@mm, W32/Frethem.f@MM, WORM_FRETHEM.D, W32/Frethem-Fam,
    Type: Internet Worm
    Discovery Date: June 11, 2002

    W32/Frethem.F@mm is a mass-mailing worm that arrives as an email containing the following information:



    Subject: Re: Your password!

    Body: ATTENTION!

    You can access
    very important
    information by
    this password

    DO NOT SAVE
    password to disk
    use your mind

    now press
    cancel

    Attachments: decrypt-password.exe and password.txt

    Note: This worm uses a MIME exploit that will allow it to automatically execute on vulnerable systems. You can download the patch for this vulnerability at http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp.

    W32/Frethem.F@mm will use its own SMTP engine to send a copy of itself to all the email addresses it collects from both the Windows address book and Microsoft Outlook Express mailbox files.

    Detection:

    Command Antivirus version 4.58.3 with definition files dated 06/12/02 will detect and delete this worm.
    Note: CSAV will use the generic message is a security risk or a "backdoor" program to identify the worm.


    Technodrome
     
Loading...
Thread Status:
Not open for further replies.