Virus Characteristics
This W32/Frethem variant is considered a Low-Profiled threat due to the fact that it has low prevalence, and one of the variants in the W32/Frethem family reached Medium risk assessment status. This W32/Frethem variant is detected as W32/Frethem.gen@MM with the 4208 - 4211 DATs and current scan engine (when the scan compressed files option is enabled), and W32/Frethem.m@MM with the 4212+ DATs and 4.0.70+ scan engine.
This mass-mailing worm gathers email addresses from Microsoft Outlook Express mailbox files (.DBX files), the Windows Address Book (.WAB file), .MBX, .EML, and .MDB files to send itself via SMTP using the following information:
Subject: Re: Your password!
Body: ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
Attachments:
Decrypt-password.exe
Password.txt
The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems. The exe file copies itself to the %WinDir% directory and creates the following registry run keys so that it runs each time Windows is loaded.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Task Bar=C:\Windows\Taskbar.exe
The default SMTP Server, SMTP Email Address, and SMTP Display Name are gathered from the Internet Account Manager:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
Accounts\00000001
This information is used by the worm to carry out its propagation routine.
The worm hooks Internet Explorer to send requests to various websites.
The PASSWORD.TXT file the virus sends simply contains the text:
- Your password is W8dqwq8q918213