Sophos has received an increasing number of reports of W32/Frethem-Fam and
its variants during the past few days.
Many of the first reports came from Japan, although later
submissions to Sophos's support team have orginated from a variety
The worms arrive in an email with the subject line 'Re: Your
password!' and two attachments, one called 'decrypt-password.exe'
and the other 'password.txt'. The worm is contained in the attached
EXE file, which attempts to exploit an Microsoft Outlook bug in
order to run automatically when the email is read.
Sophos has been able to protect against W32/Frethem-Fam since 12
June, and has been able to detect all variants of the worm to date
since 15 July.
Sophos also advises organisations to implement safe computing practices, such as blocking
executable files and emails with specific subject lines, to prevent
the spread of this and many other email-aware worms.