Date: Tue, 16 Jul 2002 16:41:47 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Frethem Worm Virus Alert ------------------------ FRETHEM WORM VIRUS ALERT ------------------------ The Frethem Worm was first detected in mid June, but did not become very widespread until the appearance of the Frethem.K variant on July 15. The anti-virus software vendors each have their own names for the Frethem Worm, but all contain the word "frethem". The Frethem Worm infects only PCs using the Microsoft Windows operating system. It does not infect Macintosh or Unix computers. How the Frethem Worm Spreads ---------------------------- This describes the Frethem.K variant, the most common variant as of the time of this message. Earlier Frethem variants may differ in some details. When Frethem infects a PC it makes a list of all e-mail addresses found in the Windows Address Book, in saved e-mail, and in other files on the PC's hard disk. It then sends infected e-mail to all those addresses. It does this each time the infected PC is started up and connercted to the Internet, without the knowledge of the PC's owner. It does not infect e-mail sent intentionally by the PC's owner. The infected e-mail has the following characteristics: Sender Address: The address on the "From:" line is the e-mail address of the infected PC's owner. Subject: Re: Your password! Message Text: May be completely blank, or may be the following: ATTENTION! You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancel File Attachments: decrypt-password.exe (approx 48 kilobytes) password.txt (approx 93 bytes) It is the file "decrypt-password.exe" that carries the infection. If you receive an e-mail matching the above characteristics, delete it. DO NOT open (run or execute) the "decrypt-password.exe" file attachment. How The Frethem Worm Infects A PC --------------------------------- If the recipient of a Frethem infected message opens (runs or executes) the file attachment "decrypt-password.exe", his/her PC will be infected. Even if the recipient does not consciously open the attachment, Frethem is able to exploit a bug in certain versions of Internet Explorer that causes the file attachment to open automatically if the infected message is displayed or prevued. Outlook and Outlook Express use Internet Explorer as a "helper program" to open certain types of file attachments. Several versions of Internet Explorer have a bug that makes it possible for a certain type of e-mail file attachment to open automatically even when the "auto open" option is disabled in Outlook or Outlook Express. The Explorer bug has been widely publicized, and Microsoft provides a patch for the affected versions of Internet Explorer, but unfortunately a lot of people are still running buggy unpatched copies of Explorer. The bug is present in Internet Explorer 5.01 (unless Service Pack 2 has been applied) and Internet Explorer 5.5. The patch is available for download from the Microsoft TechNet Web site at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp An increasing number of viruses exploit this bug, so if you use one of the affected versions of Internet Explorer you should apply the patch or install a newer version of Explorer. Microsoft no longer supports versions of Internet Explorer prior to 5.01 so will not say whether they are affected, but it is generally assumed that they are. If you have an older version you should upgrade to a newer one. What Frethem Does To The Infected PC ------------------------------------ When the Frethem Worm installs itself on a PC, it creates a Windows Registry entry that causes it to be run every time the PC is started up. This means every time an infected PC is started up and connected to the Internet, it sends out infected e-mail as described earlier. The Frethem Worm does not seem to damage the infected PC in any way. However as more and more PCs become infected the large volume of e-mail generated each time those PCs are started up will cause unnecessary load on mail servers and networks, and will increase the risk of other PCs becoming infected. How To Protect Your PC From Frethem Worm Infection -------------------------------------------------- If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if its virus description database is up to date enough to know about the Frethem Worm, then it will stop Frethem before it can infect your PC. However the virus description database must be very recent. Frethem.A was discovered and described by the major anti-virus software vendors in mid June, and the current Frethem.K variant was discovered only yesterday (July 15). A virus definition database that predates the discovery of the latest Frethem variant will prevent your anti-virus software from providing protection against Frethem. We recommend that you update your virus definition database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you use Microsoft Internet Explorer and Outlook or Outlook Express make sure your copy of Explorer is a version that will not open certain file types automatically, as described above under "How Frethem Infects A PC". If you have a version of Internet Explorer affected by the "auto-open bug", either apply the patch to fix the bug, or upgrade to a newer version of Explorer. In the final analysis you are your own best defense against virus infection. All it takes is a bit of common sense. Infected e-mail sent by the Frethem Worm shows the e-mail address of the infected PCs owner on the "From:" line, so an infected message may appear to be from someone you know. If you receive a message containing a file attachment *do not* open (run or execute) the attachment unless the sender is known to you *and* you are expecting a file attachment from that person *and* the sender clearly identifies the nature of the file attachment in the text of the message. For More Information -------------------- See the following URLs for general descriptions of all Frethem Worm variants: http://www.F-Secure.com/v-descs/frethem.shtml http://www.sophos.com/virusinfo/analyses/w32frethemfam.html See the following URLs for information specifically about the Frethem.K Worm, the variant seen most often as of the time of this message: http://www.symantec.com/avcenter/venc/data/w32.frethem.k@mm.html http://vil.mcafee.com/dispVirus.asp?virus_k=99565 http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=94 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM.K -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091