| Name | Win32.Frethem.J Worm |
| Threat Level |  |
| Alias | W32.Frethem.J@mm, WORM_FRETHEM.J |
| Date | 15 July, 2002 |
| Type | Win32, Worm |
| Damage | Sends Emails, Create Files |
| Platform | 95, 98, ME, NT, 2000, XP |
| Analysis |
Win32.Frethem.J is a variant of the Win32.Fretehm.E worm. It arrives as an email with an executable file attachment, exploiting a MIME type vulnerability in MS Outlook and Outlook Express. The worm uses an internal SMTP engine to spread itself.
The arriving email will have the following characteristics:
Sender: The sender of this message is usually the person whose machine is infected by this threat.
Subject: Re: Your password!
Message body:
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
Attached Files: Decrypt-password.exe, Password.txt
Malicious Activity
When the file Decrypt-password.exe is executed it does the following:
1. It drops the file taskbar.exe in the Windows directory.
2. Creates a registry entry to run the malicious code at boot time.
3. Sends emails in the above format to all email addresses located in Microsoft Windows Address Book and from .dbx files.
eSafe Users
The files Decrypt-password.exe and Password.txt was added to the 'Known vandals' list for eSafe Gateway and eSafe Mail. You can use the 'Update now' button in the administrators menu in eConsole.
eSafe Gateway 3.x and eSafe Mail
You can use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
