I-Worm.Frethem.Family
I-Worm.Frethem
The Frethem family of Email worms spreads via the Internet as attachments
to infected emails, the worms
themselves are Windows PE EXE files about 31-35KB in length - depending
on the worm version. They are
compressed by PE-Pack and UPX (double compression) and written in
Microsoft Visual C++.
The worms have "backdoor" routines (see below).
Infected messages have following Subject, Message body and attached files, depending on worm version:
Frethem.a:
Subject:Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message:
Hello! Do you like modern design of new Windows XP?!
I have found FREE and easy to use
desktop themes! You can open attach with web site and samples! Enjoy it!!!
Attached:
www.freedesktopthemes.com
Frethem.b,c,f,h
Subject: Re: Your password!
Message: [empty]
Attachments: Your password placed in password.txt yourpassword.exe password.txt
Frethem.d:
Subject: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message: Hi! There is good news for you! Do you like modern design of new
Windows XP?! I
have found FREE and easy to use desktop themes! You can open attach with
web site and
samples! It's really cool! Enjoy it!!! Yours, %sender%
Attached:
www.xpdesktopthemes.com
Frethem.e,g,j,k,l
Subject: Re: Your password!
Message:
ATTENTION! You can access very important information by this password DO
NOT SAVE
password to disk use your mind now press cancel
Attached: decrypt-password.exe, password.txt
The attached EXE file (attached to the email messages) is the worm
itself, the attached TXT file(if it is present)
contains false text, such as:
"Your password is W8dqwq8q918213"
Running
Depending on worm version, the Internet Explorer security breach
(IFRAME vulnerability) is exploited or the
attached file may not contain any "security tricks". The worm activates
from infected email only when a user
clicks on the attached file, or it may start automatically when
an infected message is opened or previewed (in
vulnerable systems).
Once run the worm then installs itself to the system and runs its spreading routine.
Installing
First the worm checks the keyboard layouot set, in case there is
Russian or Uzbek keyboard support (codepage
419 or 843) the worm just exits without taking any action.
If no such keyboard support is present, the worm then copies itself
to the Windows startup directory under the
setup.exe name:
%windir%\Start Menu\Programs\Startup\setup.exe
If the Startup directory doesn't exist, variants "k", "l", "m" copy
themselves in the Windows directory under the
"taskbar.exe" name.
Thus the worm is run with each Windows boot-up.
Spreading
The worm uses SMTP protocol to send e-mail messages. It looks for
e-mail addresses in WAB (Windows
Address Book) files and in *.DBX email database files, and sends
infected messages to these addresses.
Backdoor The worm then downloads a specific file from the selected
URL and processes commands written
there. The main backdoor features are:
*the ability to execute requested commands on infected system
*download EXE file(s) from that site and run it ("upgrading" worm with
new version)
On activation of the backdoor routine the worm creates, in the Windows directory, two data files:
STATUS.INI and WIN64.INI
Other Details
The worm body contains the text:
thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE
IdEA! nO AnY dEstrUctIvE ActIOns! dOnt
wArrY, bE hAppY!
This text may be written to the file winstat.ini in the Windows directory.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
150702/110904/051004
