Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Frethem.E@mm, I-Worm.Frethem.e, W32/Frethem, W32.Frethem.F@mm
Type:Worm 
Size:35,840 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:  
Danger:Low 
Distribution:High 

DistributionThe worm collects email addresses from Windows Address Book and files of type .dbx. The email sent bu the worm looks like this:

Subject: Re: Your password!

Body: ATTENTION! You can access very important information by this password DO NOT save password to disk use your mind now press cancel

Attachment:
Decrypt-password.exe
Password.txt

Decrypt-password.exe is a 35 kB worm copy, packed with UPX and PE.
Password.txt is a non-viral 93 Bytes file.

Technical DetailsWhen activated, the worm gets information about the SMTP server, email addresses and SMTP server name from the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Email Address HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Display Name

The mutex "IEXPLORE_MUTEX_AABBCCDDEEFF" allows only one active version of the worm on the same computer.

After some hours, the worm copies itself in:
C:\Windows\All Users\Start Menu\Programs\Startup\Setup.exe
to ensure automatic start.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .