Frethem | |
---|---|
Type | Mass mailer worm |
Creator | |
Date Discovered | 2002.06.03 |
Place of Origin | |
Source Language | |
Platform | MS Windows |
File Type(s) | .bat, .cmd, .com, .exe |
Infection Length | 31,232 bytes |
Reported Costs |
Frethem was a common worm from 2002. Some variants are able to infect from simply opening the email it comes in.
Behavior
Frethem arrives in an email with a subject line of "Do your Windows looks like Windows XP? I have found very nice desktop themes!" THe attachment name will be www.freedesktopthemes plus a random number with an extension of .bat, .cmd, .com or .exe. The message body is:
Hello!
Do you like modern design of new Windows XP?! I
have found FREE and easy to use desktop themes!
You can open attach with web site and samples!
Enjoy it!!!
When Frethem is executed, it creates a mutex named IEXPLORE_MUTEX_AABBCCDDEEFF to ensure only one copy of the worm runs in memory at any given time. It displays a message box with no text except on the OK button, and a yellow triangle with an exclamation mark. It sleeps for several hours, then copies itself to the start menu's startup folder, ensuring it runs when the system starts.
The worm checks the registry for the SMTP server and email addresses. It checks for email addresses in the Address Book as well as .dbx files, then sends itself to these addresses.
Variants
Frethem produced enough variants to go up to Frethem.V (some antivirus products identify a Frethem.W).
Frethem.K arrives in an email posing as a text file with a password and an .exe file named decrypt-password.exe. It is able to exploit an Outlook bug that allows it to execute when the message is opened. It was one of the more common variants
Effects
Frethem made the top 10 virus charts in 2002. Frethem.F peaked at number 10, while Frethem.L made it to number 8. It was common in Asia and Europe with some cases reported in Brazil. It has no destructive payload, but it was the second most popular subject of calls to Sophos, representing 17 percent of all calls to that company.
Sources
Yana Liu. Symantec.com, W32.Frethem.A@mm.
John Leyden. The Register, Frethem worm poses as Password file. 2002.07.16
-. -, Klez tops the virus charts. 2002.07.31
-. -, Klez tops virus charts – again. 2002.07.01
Terra Informatica, Vírus Frethem espalha suas variantes por vários países. 2002.07.15 (Portuguese)