Win32:Frethem
is an Internet worm which spreads via email. It uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics:
Subject: Re: Your password!
Message body:
ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
Attachment: Decrypt-password.exe and Password.txt
When this worm is executed, it does the following: It copies itself to the file %windir%\Taskbar.exe
(please note: %windir% is a variable). The worm locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location. It then configures itself to start when you start Windows by adding the value:
Task Bar %windir%\Taskbar.exe
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The worm then obtains email addresses from the Microsoft Windows Address Book and from .dbx, .wab, .mbx, .eml, and .mdb files, and sends itself to those addresses. When the worm arrives by email, it uses both an IFRAME exploit and a MIME exploit, which allow the virus to be executed when you read or even preview the file. Information and a patch for MIME exploit can be found here.
After sleeping for several hours, the worm copies itself to C:\Windows\All Users\Start Menu\ Programs\Startup\ Setup.exe so that it is executed each time that you start Windows.
This worm exist in several variants, but none of them have any destructive payload.
(please note: %windir% is a variable). The worm locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location. It then configures itself to start when you start Windows by adding the value:
Task Bar %windir%\Taskbar.exe
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The worm then obtains email addresses from the Microsoft Windows Address Book and from .dbx, .wab, .mbx, .eml, and .mdb files, and sends itself to those addresses. When the worm arrives by email, it uses both an IFRAME exploit and a MIME exploit, which allow the virus to be executed when you read or even preview the file. Information and a patch for MIME exploit can be found here.
After sleeping for several hours, the worm copies itself to C:\Windows\All Users\Start Menu\ Programs\Startup\ Setup.exe so that it is executed each time that you start Windows.
This worm exist in several variants, but none of them have any destructive payload.
No comments:
Post a Comment