Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Alias:I-Worm.Frethem.k [AVP], W32/Frethem.k@MM [McAfee], WORM_FRETHEM.J [Trend], W32/Frethem-Fam [Sophos], W32.Frethem.I@mm
Size:47,616 Bytes 
Damage:Sent by email, Backdoor component. 
VDF Version:  

DistributionThe worm searches for email addresses in Windows Address Book and files of type: .dbx .wab .mbx .eml .mdb
The email has the following structure:

Subject: Re: Your password!

Body: ATTENTION! You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancel


Decrypt-password.exe is a worm copy, packed with UPX and PE, having ~46 kB. Password.txt is ~ 93 Bytes, but has no virus content.

Technical DetailsWhen activated, Worm/Frethem.001 copies itself in:

It changes the following autostart entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "%Windows%\taskbar.exe"

The worm receives information about SMTP server, email addresses and server name from the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Server

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Email Address

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Display Name

The worm uses the mutex "IEXPLORE_MUTEX_AABBCCDDEEFF" which allwos only one active version of the worm on the system.

The worm tries to contact some servers on port 80, for downloading compressed files. These files seem to contain backdoor instructions.

After some hours break, the worm copies itself for autostart, in:
C:\Windows\All Users\Start Menu\Programs\Startup\Setup.exe
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .