Alias:W32.Frethem.K@mm, I-Worm.Frethem.l [KAV], W32/Frethem.l@MM [McAfee], WORM_FRETHEM.K [Trend], W32/Frethem-Fam [Sophos], Win32.Frethem.K [CA], W32/Frethem.K [Panda], W32/Frethem.L [F-Prot]
Type:Worm 
Size:48,640 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionThe worm searches for email addresses in Windows Address Book and files of type: .dbx .wab .mbx .eml .mdb
The email has the following structure:

Subject: Re: Your password!

Body: ATTENTION! You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancel

Attachment:
Decrypt-password.exe
Password.txt

Decrypt-password.exe is a worm copy, packed with UPX and PE, having ~48 kB. Password.txt is ~ 93 Bytes, but has no virus content.

Technical DetailsWhen activated, Worm/Frethem.010 copies itself in:
%WinDIR%\Taskbar.exe

It changes the following autostart entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Task Bar %WinDIR%\taskbar.exe

The worm receives information about SMTP server, email addresses and server name from the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Server

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Email Address

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Display Name

The worm uses the mutex "IEXPLORE_MUTEX_AABBCCDDEEFF" which allwos only one active version of the worm on the system.

After some hours break, the worm copies itself for autostart, in:
C:\Windows\All Users\Start Menu\Programs\Startup\Setup.exe
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .