W32/Frethem-E

Please read the instructions for removing W32/Frethem-E.

W32/Frethem-E is a worm which arrives in an email with the following characteristics:

Subject line:
Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!

Message text:
Hello!
Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes! You can open attach with website and samples! Enjoy it!!!

Attached File:
www.freedesktopthemes.exe

The worm uses a MIME header vulnerability and an IFRAME vulnerability so that the attached file is run automatically when the email is viewed on unpatched Microsoft email clients.

Upon execution the worm copies itself to
C:\Windows\Start Menu\Programs\Startup as setup.exe and runs in the background as a process of the same name. Alternatively, for a computer with multi-user settings enabled, the worm could copy itself to
<user profile path>\Start Menu\Programs\Startup. These changes allow the worm to be run automatically the next time the computer is started up or when the same user logs on again.

The trigger condition for the mass-mailing behaviour is dependent on certain dates and the time zone. When triggered, the worm obtains information of the SMTP server from the following registry entry:

HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001

The worm then sends itself to contacts found from DBX files and the Windows Address Book using its own SMTP engine.

Besides mass mailing itself, the worm also sends HTTP requests to some CGI scripts located at various remote locations. But at the time of writing those CGI scripts are no longer available hence this does not pose a threat.