W32/Frethem-J

Please read the instructions for removing W32/Frethem-J.

W32/Frethem-J is a member of the Frethem family of email worms, however this variant lacks the emailing properties of the other variants and instead relies on spreading over network shares.

Upon execution, the worm copies itself to C:\Windows\Start Menu\Programs\Startup as setup.exe. and runs in the background as a process of the same name. Alternatively, for a computer with multi user settings enabled, the worm could copy itself to \Start Menu\Programs\Startup (For example, C:\Windows\Profiles\\Start Menu\Program\Startup). These changes allow the worm to be run automatically the next time the computer is started up or when the same user logs on again.

W32/Frethem-J will not carry out any actions if the values "0843" and "0419" are found in the following registry entries:

HKCU\Keyboard layout\preload\1

HKCU\Keyboard layout\preload\2

HKCU\Keyboard layout\preload\3

The worm also sends HTTP requests to some CGI scripts located at various remote locations. But at the time of writing those CGI scripts are no longer available hence this does not pose a threat.

W32/Frethem-J is intended to interpret the contents of the requested files as instructions which would likely be used to give the worm certain backdoor features.