Alias:
Type:Worm 
Size:48.640 Bytes 
Origin: 
Date:07-15-2002 
Damage:Spreads by email. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionWorm/Frethem.l sends itself by email, using its own SMTP engine. It finds email addresses in Windows Address Book or in files of type .dbx, .wab, .mbx, .mdb and .eml. The email has the following structure:

Subject: Re:Your password!

Body: ATTENTION! You cann access very important information by this password DO NOT SAVE password to disk use your mind now press cancel

Attachment:
Decrypt-password.exe
Passwort.txt

Technical DetailsWorm/Frethem.l is a 48.640 Bytes file, packed with PE and UPX.
When the attachment Decrypt-password.exe is opened, the worm is copied in Windows directory as Taskbar.exe and enters the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Run\Task Bar=C:\Windows\Taskbar.exe


For email spreading, Worm/Frethem.l uses SMTP data of the local user, which it can get with the following entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Display Name HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Email Adress
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .