Virus Profile: W32/Frethem.k@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 7/12/2002
Date Added: 7/13/2002
Origin: Unknown
Length: 47,616 bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4208
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Presence of the file %WinDir%\Taskbar.exe
  • Presence of the file %WinDir%\Winstat.ini

Methods of Infection

This worm exploits an Internet Explorer vulnerability to automatically run on unpatched systems. Once run, the worm sends itself to email addresses found on the local system.

Aliases

W32.Frethem.J@mm (Symantec), W32/Frethem.gen@MM (NAI) , WORM_FRETHEM.J (TrendMicro)
   

Virus Characteristics

This W32/Frethem variant has gotten some media attention due to the fact that it was accidentally sent to a well-known anti-virus mailing list (not by an anti-virus company) and most anti-virus products did not detect it at that time. McAfee products were the exception as the DAT files that were released more than three weeks prior to this mailing contained generic W32/Frethem detection, which protected its users well before the release/creation of this threat.

This W32/Frethem variant is detected as W32/Frethem.gen@MM with the 4208 DATs, or higher, when scanning compressed files with the current scan engine. Specific detection of this variant, W32/Frethem.k@MM, will be included in the 4212 weekly dat release.

This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), the Windows Address Book (.WAB file), .MBX, .EML, and .MDB files to send itself via SMTP using the following information:

Subject: Re: Your password!
Body: ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel

Attachments:
  • Decrypt-password.exe
  • Password.txt

    The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems. The exe file copies itself to the %WinDir% directory and creates the following registry run keys so that it runs each time Windows is loaded.

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run\Task Bar=C:\Windows\Taskbar.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Run\Task Bar=C:\Windows\Taskbar.exe
    The default SMTP Server, SMTP Email Address, and SMTP Display Name are gathered from the Internet Account Manager:
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
      Accounts\00000001
    This information is used by the worm to carry out its propagation routine.

    The worm hooks Internet Explorer to send requests to various websites:

    • http://12.224.160.208/b.cgi
    • http://12.225.239.153/b.cgi
    • http://12.252.211.170/b.cgi
    • http://128.173.231.167/b.cgi
    • http://129.120.117.218/b.cgi
    • http://140.158.208.167/b.cgi
    • http://143.111.86.30/b.cgi
    • http://147.26.215.144/b.cgi
    • http://170.11.31.35/b.cgi
    • http://207.171.103.126/b.cgi
    • http://209.192.135.22/b.cgi
    • http://213.190.55.222/b.cgi
    • http://24.138.42.1/b.cgi
    • http://24.153.41.186/b.cgi
    • http://24.157.108.78/b.cgi
    • http://24.159.28.120/b.cgi
    • http://24.24.128.16/b.cgi
    • http://24.242.106.163/b.cgi
    • http://24.91.146.67/b.cgi
    • http://24.91.187.71/b.cgi
    • http://4.47.227.27/b.cgi
    • http://63.231.167.66/b.cgi
    • http://63.71.246.234/b.cgi
    • http://64.211.174.43/b.cgi
    • http://65.25.12.45/b.cgi
    • http://66.31.193.42/b.cgi
    • http://66.31.93.30/b.cgi
    • http://66.68.22.102/b.cgi
    • http://68.35.125.130/b.cgi
    • http://68.42.253.163/b.cgi
    • http://68.57.88.25/b.cgi
    •    
    All Windows Users:
    Use current engine and DAT files for detection and removal.

    Manual Removal Instructions

    • Restart the computer in safe mode
    • Delete the following files
      • %WinDir%\Taskbar.exe
      • %WinDir%\Winstat.ini
    • Delete the registry key values
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
        Run\Task Bar
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
        Run\Task Bar

    Additional Windows ME/XP removal considerations