Home / malware Win32.Frethem.F@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Frethem.F@mm.
Explanation :
This is an Internet worm which spreads through e-mail as an attached file. It is written in Visual C and packed with UPX and PePack.
The format of an infected e-mail is:
From:
Subject: Re: Your password!
Body:
ATTENTION!
You can access very important information by this password
DO NOT SAVE password to disk use your mind
now presscancel
Attachments: password.txt where varies in its versions:
B: Your password placed in password.txt yourpassword.exe
C: Your password placed in password.txt yourpassword.exe
D: decrypt-password.exe
E: Your password placed in password.txt yourpassword.exe
F: decrypt-password.exe
The first variant (Win32.Frethem.A@mm) has the following format for e-mails
Subject:Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Body: Hello!
Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes!
You can open attach with web site and samples! Enjoy it!!!
www.freedesktopthemes.com
The e-mail also contains the IFRAME vulnerability so if the user reads his e-mail with an unpatched version of Microsoft Outlook or Microsoft Outlook Express, it will be infected when it views the message in the preview pane.
The virus copies itself as setup.exe in the Startup directory of the current profile (as shown in the Symptoms section). It uses the SMTP servers of the victim and the e-mails stored in Windows Address Book (used by Outlook Express) and in DBX files to send infected e-mails.
The author wrote in the executable:
ThAnks tO AUthOr! YOU ArE rEAllY grEAt mAn!
AlsO thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE mAIlEr IdEA!
nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!Last update 21 November 2011
