[MIham] W32.Frethem.K (Virus Alert)
Frank N8UVI
Frank N8UVI" <[email protected]
Mon, 15 Jul 2002 18:37:15 -0400
W32.Frethem.K@mm
Discovered on: July 15, 2002
Last Updated on: July 15, 2002 09:59:17 AM PDT
W32.Frethem.K@mm is a worm, and is a variant of W32.Frethem.B@mm. It uses
its own SMTP engine to send itself to email addresses that it finds in the
Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb
files. The email message arrives with the following characteristics:
Subject: Re: Your password!
Attachments: Decrypt-password.exe and Password.txt
Also Known As: I-Worm.Frethem.l [AVP], W32/Frethem.l@MM [McAfee],
WORM_FRETHEM.K [Trend], W32/Frethem-Fam [Sophos]
Type: Worm
Infection Length: 48,640 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows
XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154
Beta Virus Definitions
July 15, 2002
Virus Definitions (Intelligent Updater) *
July 15, 2002
Virus Definitions (LiveUpdateT) **
July 15, 2002
*
Intelligent Updater virus definitions are released daily, but require
manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Threat Metrics
Wild:
Low
Damage:
Low
Distribution:
High
Damage
Payload:
Large scale e-mailing: Sends to email addresses found in the Windows Address
Book and .dbx .wab, .mbx, .eml, and .mdb files.
Distribution
Subject of email: Re: Your password!
Name of attachment: Decrypt-password.exe , Password.txt
Size of attachment: 48,640 bytes
When this worm is executed, it does the following:
It copies itself to the file %windir%\Taskbar.exe
NOTE: %windir% is a variable. The worm locates the Windows main installation
folder (by default this is C:\Windows or C:\Winnt) and copies itself to that
location.
It then configures itself to start when you start Windows by adding the
value:
Task Bar %windir%\taskbar.exe
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Next, the worm obtains the computer user's SMTP server, email address, and
SMTP server name from the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Server
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Email Address
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\00000001\SMTP Display Name
The worm then obtains email addresses from the Microsoft Windows Address
Book and from .dbx, .wab, .mbx, .eml, and .mdb files, and sends itself to
those addresses. The email message has the following characteristics:
Subject: Re: Your password!
Message:
ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
Attachments:
Decrypt-password.exe
Password.txt
NOTE: The Decrypt-password.exe attachment is a copy of the worm. It is
packed with UPX and PE-Pack, and its size is approximately 48 KB. The second
attachment, Password.txt, is a text file that is approximately 93 bytes in
length. Password.txt is not viral by itself as such, it is not detected by
Symantec antivirus products. However, if the computer was infected by
W32.Frethem.K@mm worm, you should delete the file manually.
When the worm arrives by email, it uses both an IFRAME exploit and a MIME
exploit, which allow the virus to be executed when you read or even preview
the file. Information and a patch for MIME exploit can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
The worm creates the "IEXPLORE_MUTEX_AABBCCDDEEFF" mutex. This mutex allows
only one instance of the worm to execute in memory.
After sleeping for several hours, the worm copies itself to C:\Windows\All
Users\Start Menu\Programs\Startup\Setup.exe so that it is executed each time
that you start Windows.
Symantec Security Response encourages all users and administrators to adhere
to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems
install auxiliary services that are not critical, such as an FTP server,
telnet, and a Web server. These services are avenues of attack. If they are
removed, blended threats have less avenues of attack and you have fewer
services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block
access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host
public services and are accessible through the firewall, such as HTTP, FTP,
mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack
password files on compromised computers. This helps to prevent or limit
damage when a computer is compromised.
Configure your email server to block or remove email that contains file
attachments that are commonly used to spread viruses, such as .vbs, .bat,
.exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your
organization. Perform a forensic analysis and restore the computers using
trusted media.
Train employees not to open attachments unless they are expecting them.
Also, do not execute software that is downloaded from the Internet unless it
has been scanned for viruses. Simply visiting a compromised Web site can
cause infection if certain browser vulnerabilities are not patched.
NOTE: These instructions are for all current and recent Symantec antivirus
products, including the Symantec AntiVirus and Norton AntiVirus product
lines.
1. Update the virus definitions, run a full system scan. Delete all files
that are detected as W32.Frethem.K@mm.
2. Delete the value
Task Bar
from the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
For details on how to do this, read the following instructions.
To scan for and delete the infected files:
1. Obtain the most recent virus definitions. There are two ways to do this:
Run LiveUpdate, which is the easiest way to obtain virus definitions. These
virus definitions have undergone full quality assurance testing by Symantec
Security Response and are posted to the LiveUpdate servers one time each
week (usually Wednesdays) unless there is a major virus outbreak. To
determine whether definitions for this threat are available by LiveUpdate,
look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
Download the definitions using the Intelligent Updater. Intelligent Updater
virus definitions have undergone full quality assurance testing by Symantec
Security Response. They are posted on U.S. business days (Monday through
Friday). They must be downloaded from the Symantec Security Response Web
site and installed manually. To determine whether definitions for this
threat are available by the Intelligent Updater, look at the Virus
Definitions (Intelligent Updater) line at the top of this write-up.
Intelligent Updater virus definitions are available here. For detailed
instructions on how to download and install the Intelligent Updater virus
definitions from the Symantec Security Response Web site, click here.
2. Start your Symantec antivirus program, and make sure that it is
configured to scan all files.
Norton AntiVirus Consumer products: Read the document How to configure
Norton AntiVirus to scan all files.
Symantec Enterprise antivirus products: Read the document How to verify a
Symantec Corporate antivirus product is set to scan All Files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Frethem.K@mm.
NOTE: If NAV reports that it cannot delete an infected file, you must shut
down the computer, turn off the power, and wait 30 seconds. Then restart the
computer in Safe mode and run the scan again. All Windows 32-bit operating
systems except Windows NT can be restarted in Safe mode. For instructions on
how to do this, read the document How to start the computer in Safe Mode.
To remove the value from the registry:
CAUTION: Symantec strongly recommends that you back up the registry before
you make any changes to it. Incorrect changes to the registry can result in
permanent data loss or corrupted files. Modify only the keys that are
specified. Read the document How to make a backup of the Windows registry
for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following value:
Task Bar
5. Click Registry, and click Exit.
Visit My Web Site at: http://www.qsl.net/n8uvi
ASCII ART RADIO SOCIETY #111
GOT ROOT!!!
C:\DOS C:\DOS\RUN RUN\DOS\RUN
Beam Me up Scotty, There's no intelligent Life Down Here!!!
The person that doesn't do anything, Doesn't make mistakes!
Give me a firm spot on which to stand, and I will move the earth.
--Archimedes--
Physical concepts are free creations of the human mind, and are not, however
it may seem, uniquely determined by the external world.
--Albert Einstein--