Worm/Frethem.l - Worm

See also

Full description

Alias:
Type:	Worm
Size:	48.640 Bytes
Origin:
Date:	07-15-2002
Damage:	Spreads by email.
VDF Version:	6.23.00.00
Danger:	Low
Distribution:	Low

DistributionWorm/Frethem.l sends itself by email, using its own SMTP engine. It finds email addresses in Windows Address Book or in files of type .dbx, .wab, .mbx, .mdb and .eml. The email has the following structure:

Subject: Re:Your password!

Body: ATTENTION! You cann access very important information by this password DO NOT SAVE password to disk use your mind now press cancel

Attachment:
Decrypt-password.exe
Passwort.txt

Technical DetailsWorm/Frethem.l is a 48.640 Bytes file, packed with PE and UPX.
When the attachment Decrypt-password.exe is opened, the worm is copied in Windows directory as Taskbar.exe and enters the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Run\Task Bar=C:\Windows\Taskbar.exe

For email spreading, Worm/Frethem.l uses SMTP data of the local user, which it can get with the following entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Display Name HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Email Adress

See a brief description here.

Description inserted by Crony Walker on Tue, 15 Jun 2004 14:00 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back