This alert is being issued due to increased media attention that this worm has recently received.

The following has been derived from information provided by McAfee, Symantec and Trend Micro.

Virus Characteristics

W32.Frethem.K@mm is a variant of W32.Frethem.B@mm. The worm arrives by email, and attempts to use both an IFRAME exploit and a MIME exploit to execute the virus when the message is read or even previewed in the mail client.

The worm uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics:

Subject:
"Re: Your password!"

Attachments:
"Decrypt-password.exe" and "Password.txt"

Message Body:

"ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel"


The "Password.txt" file is not executable and does not contain viral code. However, when the "Decrypt-password.exe" attachment is executed, the worm does the following:

It will copy itself to the file %Windows%\taskbar.exe and configure itself to start with Windows by adding the value to the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Task Bar"="C:\Windows\taskbar.exe"

The worm obtains the computer user's SMTP server, email address, and SMTP server name from the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Server

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Email Address

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Display Name

The worm also obtains email addresses from the Microsoft Windows Address Book and from .dbx, .wab, .mbx, .eml, and .mdb files files, and sends itself to those addresses.

After sleeping for several hours, the worm copies itself to C:\Windows\All Users\Start Menu\Programs\Startup\Setup.exe so that it is executed each time that you start Windows.


Payload

This is a mass-mailing Internet worm, which modifies the Windows registry and copies itself to the Windows Startup folder to allow itself to automatically launch at start up.


Preventative Measures

Since the propagation email message does not change, it can be stopped at the internet email gateway by blocking all messages which have the following characteristics:

Subject: "Re: Your password!"
Attachments: "Decrypt-password.exe" and "Password.txt"


Fixes Available

Network Associates:
Minimum Dat: 4208
Minimum Engine: 4.1.60
DAT Release Date: 06/19/2002
Note: Detection of variant W32/Frethem.l@MM will be included in the 4212 dat release

Symantec:
Beta Virus Definitions: July 15, 2002
Virus Definitions (Intelligent Updater): Expected July 15, 2002
Virus Definitions (LiveUpdate): Expected July 15, 2002

Trend:
Detected by pattern file #: 317
Detected by scan engine #: 5.200
Pattern released: July 5, 2002