Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Frethem.L

Aliases: W32.Frethem.K

Win32/Frethem.L is a worm spreading as an email file attachment.  It attacks computers running the operating system Windows95/98/NT/2000/XP/ME.  The email message has the subject "Re: Your password!".  In the message body there is the following text:

ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel

The worm is in the file decrypt-password.exe which is 48640 bytes in size.  This file is internally compressed by the compressor UPX and as if it was not enough also additionally by PE Pack.  Its length after unpacking is more than 800 Kb.  The worm Win32/Frethem.L tries to use the known security vulnerability of the web-browser  Internet Explorer "Incorrect MIME Header" that is described at www.microsoft.com/technet/security/bulletin/MS01-020.asp.  If the patch to fix this security vulnerability has not yet been installed on the target computer the vulnerability allows activation of the worm simply by viewing the message to which the worm is attached.  As more worms and Trojan horses exploit this vulnerability  it is necessary to have the patch installed.  The patch can be found at  the address www.microsoft.com/windows/ie/download/critical/Q290108/default.asp. The patch is necessary if you use Internet Explorer versions 5.01 or 5.5.
 

After being run the worm, with the help of system registry finds out which is the pre-selected SMTP server, what email address is set and what is the name of the SMTP server.  Then the worm copies itself under the name taskbar.exe into the directory where the operating system is installed.  The worm ensures its activation after a system restart by creating an item with the name Taskbar in the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run of the system registry.  The worm looks for email addresses, in order to spread, in files with extensions .dbx, .wab, .mbx, .eml and .mdb on the attacked computer.  It sends its copies to addresses that it finds there.  In the directory containing the Windows operating system installation the worm also may copy itself under the name setup.exe into the subdirectory Start Menu\Programs\Startup; that also ensures its reactivation at each system restart.  There is an English text with a typing error in the worm body:

thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE IdEA! nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!

The worm creates on the disk in the directory where the operating system Windows is installed the file winstat.ini.  The anti-virus system NOD32 detects the worm Win32/Frethem.L starting from the version 1.284.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.