W32/Frethem-Fam worms spreading in the wild

July 17, 2002 Sophos Press Release

Sophos has received an increasing number of reports of W32/Frethem-Fam and its variants during the past few days.

Many of the first reports came from Japan, although later submissions to Sophos's support team have orginated from a variety of countries.

The worms arrive in an email with the subject line 'Re: Your password!' and two attachments, one called 'decrypt-password.exe' and the other 'password.txt'. The worm is contained in the attached EXE file, which attempts to exploit an Microsoft Outlook bug in order to run automatically when the email is read.

Sophos has been able to protect against W32/Frethem-Fam since 12 June, and has been able to detect all variants of the worm to date since 15 July.

Sophos also advises organisations to implement safe computing practices, such as blocking executable files and emails with specific subject lines, to prevent the spread of this and many other email-aware worms.