Home / malwarePDF  

Win32.Frethem.J@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Frethem.J@mm is also known as I-Worm.Frethem, W32/Frethem.l@MM, WORM_FRETHEM.K.

Explanation :

This is a new version of Win32.Frethem.F@mm. The virus spreads through e-mail as an attached file.

The format of an infected e-mail is (the same as in the previous versions):

From:
Subject: Re: Your password!
Body:
ATTENTION!
You can access very important information by this password
DO NOT SAVE password to disk use your mind
now press cancel

Attachments: decrypt-password.exe, password.txt.

The e-mail also contains the IFRAME vulnerability (described by Microsoft at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp) so if the user reads his e-mail with an unpatched version of Microsoft Outlook or Microsoft Outlook Express, it will be infected when it views the message in the preview pane.

The virus copies itself as setup.exe in the Startup directory of the current profile (as shown in the Symptoms section) and in Windows directory as taskbar.exe. Also it writes in the key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

the value Task Bar to point to the taskbar.exe file.

It uses the SMTP servers of the victim and the e-mails stored in Windows Address Book (used by Outlook Express) and in all DBX, WAB, MBX, EML, MDB, DAT files from disk to send infected e-mails. Also e-mail addresses are searched in all files from subfolders called mail or imapmail.

The author wrote in the executable:
ThAnks tO AUthOr! YOU ArE rEAllY grEAt mAn!
AlsO thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE mAIlEr IdEA!
nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!

As its previous versions it does not infect computers which have installed the keybord layouts specific for Russian and Uzbek keyboards.

Last update 21 November 2011

 

TOP