i-worm.frethe
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Frethem
I-Worm.Frethem
The Frethem family of Email worms spreads via the Internet as attachments to infected emails, the worms themselves are Windows PE EXE files about 31-35KB in length - depending the worm version. The are compressed by PE-Pack and UPX (double compression) and written in Microsoft Visual C++.
The worms have "backdoor" routines (see below).
Infected messages have following Subject, Message body and attached files, depending on worm version:
Frethem.a:
Subject:Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message:
Hello!
Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes!
You can open attach with web site and samples! Enjoy it!!!
Attached:
www.freedesktopthemes.com
Frethem.b,c,f,h
Subject: Re: Your password!
Message:
[empty]
Attachments: Your password placed in password.txtall yourpassword.exe...password.txt
Frethem.d:
Subject: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message: Hi! There is good news for you! Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes! You can open attach with web site and samples! It's really cool! Enjoy it!!! Yours, %sender%
Attached: www.xpdesktopthemes.com
Frethem.e,g,j,k,l
Subject: Re: Your password!
Message:
ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
Attached: decrypt-password.exe, password.txt
The attached EXE file (attached to the email messages) is the worm itself, the attached TXT file(if it is present) contains false text, such as:
"Your password is W8dqwq8q918213"
Running
Depending on worm version, the Internet Explorer security breach (IFRAME vulnerability) is exploited or the attached file may not contain any "security tricks". The worm activates from infected email only when a user clicks on the attached file, or it may start automatically when an infected message is opened or previewed (in vulnerable systems).
Once run the worm then installs itself to the system and runs its spreading routine.
Installing
First the worm checks the keyboard layouot set, in case there is Russian or Uzbek keyboard support (codepage 419 or 843) the worm just exits without taking any action.
If no such keyboard support is present, the worm then copies itself to the Windows startup directory under the setup.exe name:
%windir%\Start Menu\Programs\Startup\setup.exe
If the Startup directory doesn't exist, variants "k", "l", "m" copy themselves in the Windows directory under the "taskbar.exe" name.
Thus the worm is run with each Windows boot-up.
Spreading
The worm uses SMTP protocol to send e-mail messages. It looks for e-mail addresses in WAB (Windows Address Book) files and in *.DBX email database files, and sends infected messages to these addresses.
Backdoor
The backdoor routines randomly select a URL and then follow it to the site. The list of possible URLs is stored (hard-coded) into the worm body. There are from 10 (in minor worm versions) to 50 (in major versions) URLs in the list.
The worm then downloads a specific file from the selected URL and processes commands written there. The main backdoor features are:
the ability to execute requested commands on infected system
download EXE file(s) from that site and run it ("upgrading" worm with new version)
On activation of the backdoor routine the worm creates, in the Windows directory, two data files:
STATUS.INI and WIN64.INI
Other Details
The worm body contains the text:
thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE IdEA! nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!
This text may be written to the file winstat.ini in the Windows directory.
Copyright @2006 i-worm.frethe