W32/Frethem-Fam worms spreading in the wild

Sophos Press Release

Sophos has received an increasing number of reports of W32/Frethem-Fam and its variants during the past few days.

Many of the first reports came from Japan, although later submissions to Sophos's support team have orginated from a variety of countries.

The worms arrive in an email with the subject line 'Re: Your password!' and two attachments, one called 'decrypt-password.exe' and the other 'password.txt'. The worm is contained in the attached EXE file, which attempts to exploit an Microsoft Outlook bug in order to run automatically when the email is read.

Sophos has been able to protect against W32/Frethem-Fam since 12 June, and has been able to detect all variants of the worm to date since 15 July.

Sophos also advises organisations to implement safe computing practices, such as blocking executable files and emails with specific subject lines, to prevent the spread of this and many other email-aware worms.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.