Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
I-Worm.Frethem.k [AVP], W32/Frethem.k@MM [McAfee], WORM_FRETHEM.J [Trend], W32/Frethem-Fam [Sophos], W32.Frethem.I@mm
Sent by email, Backdoor component.
The worm searches for email addresses in Windows Address Book and files of type: .dbx .wab .mbx .eml .mdb
The email has the following structure:
Subject: Re: Your password!
Body: ATTENTION! You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancel
Decrypt-password.exe is a worm copy, packed with UPX and PE, having ~46 kB. Password.txt is ~ 93 Bytes, but has no virus content.
When activated, Worm/Frethem.001 copies itself in:
It changes the following autostart entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "%Windows%\taskbar.exe"
The worm receives information about SMTP server, email addresses and server name from the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Server
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Email Address
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Display Name
The worm uses the mutex "IEXPLORE_MUTEX_AABBCCDDEEFF" which allwos only one active version of the worm on the system.
The worm tries to contact some servers on port 80, for downloading compressed files. These files seem to contain backdoor instructions.
After some hours break, the worm copies itself for autostart, in:
C:\Windows\All Users\Start Menu\Programs\Startup\Setup.exe
Description inserted by Crony Walker on Tuesday, June 15, 2004