W32/Frethem-C

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Frethem-C.

W32/Frethem-C is a worm which arrives in an email with the following characteristics:

Subject line:
Re: Your password!

Attached Files:
Your password placed in password.txt<12 spaces>password.exe, password.txt

Your password placed in password.txt<12 spaces>password.exe is a copy of the worm; password.txt is a text file containing the text "Your password is W8dqwq8q918213".

The message text is left blank.

The worm uses a MIME header vulnerability and an IFRAME vulnerability so that the attached file is run automatically when the email is viewed on unpatched Microsoft email clients.

Upon execution the worm copies itself to
C:\Windows\Start Menu\Programs\Startup as setup.exe and runs in the background as a process of the same name. Alternatively, for a computer with multi-user settings enabled, the worm could copy itself to
<user profile path>\Start Menu\Programs\Startup. These changes allow the worm to be run automatically the next time the computer is started up or when the same user logs on again.

The trigger condition for the mass-mailing behaviour is dependent on certain dates and the time zone. When triggered, the worm obtains information of the SMTP server from the following registry entry:

HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001

The worm then sends itself to contacts found from DBX files and the Windows Address Book using its own SMTP engine.

Besides mass mailing itself, the worm also sends HTTP requests to some CGI scripts located at various remote locations. But at the time of writing those CGI scripts are no longer available hence this does not pose a threat.