This alert is being issued due to an increase in reported incidents from our customers.

The following has been derived from information provided by McAfee and MessageLabs.

Virus Characteristics

W32.Frethem.l@mm is a variant of W32.Frethem.d@mm. The only significant difference between this one and the other variants is the size of the worm.


Frethem.l@mm is 48,640 bytes in length.

Frethem.e@mm and Frethem.f@mm are 35,840 bytes in length.

Frethem.j@mm and Frethem.k@mm are 47,616 bytes in length.


The worm arrives by email, and attempts to use both an IFRAME exploit and a MIME exploit to execute the virus when the message is read or even previewed in the mail client.

The worm uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics:

Subject:
"Re: Your password!"

Attachments:
"Decrypt-password.exe" and "Password.txt"

Message Body:

"ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel"


The "Password.txt" file is not executable and does not contain viral code. However, when the "Decrypt-password.exe" attachment is executed, the worm does the following:

It will copy itself to the file %Windows%\taskbar.exe and configure itself to start with Windows by adding the value to the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Task Bar"="C:\Windows\taskbar.exe"

The worm obtains the computer user's SMTP server, email address, and SMTP server name from the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Server

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Email Address

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Display Name

The worm also obtains email addresses from the Microsoft Windows Address Book and from .dbx, .wab, .mbx, .eml, and .mdb files files, and sends itself to those addresses.

After sleeping for several hours, the worm copies itself to C:\Windows\All Users\Start Menu\Programs\Startup\Setup.exe so that it is executed each time that you start Windows.


Payload

This is a mass-mailing Internet worm, which modifies the Windows registry and copies itself to the Windows Startup folder to allow itself to automatically launch at start up.


Preventative Measures

Since the propagation email message does not change, it can be stopped at the internet email gateway by blocking all messages which have the following characteristics:

Subject: "Re: Your password!"
Attachments: "Decrypt-password.exe" and "Password.txt"


Fixes Available

Network Associates:
Minimum DAT: 4212
Minimum Engine: 4.0.70
DAT Release Date: 07/17/2002

Symantec:
No information at time of alert.

Trend:
No information at time of alert.