View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>W32/Frethem Malicious Code</h2>

Release Date: July 17, 2002<p>
<a name="affected"></a>
<h3>Systems Affected</h3>
<ul>
<li>Systems running Microsoft Windows 

</li></ul>
<br/>
<a name="overview"></a>
<h3>Overview</h3>
<p>The CERT/CC has received a number of reports of malicious code
known as W32/Frethem. It affects systems running Microsoft Windows with
unpatched versions of Internet Explorer and mail clients that use IE's
HTML rendering engine (including Outlook and Outlook Express). Patched
systems (or systems that do not use IE's HTML rendering engine for
mail) may also be affected if a user manually executes the malicious
code. A number of variants of this code have been identified.</p>
<br/>
<a name="description"></a>
<h3>I. Description</h3>

W32/Frethem is a malicious Windows program with an internal SMTP mail
delivery agent.  W32/Frethem arrives as an email message containing
three MIME parts (<font face="monospace">multipart/alternative;
boundary=L1db82sd319dm2ns0f4383dhG</font>) with the subject "Re:
Your password!"  The body of the message is contained in the first
MIME part and includes a specially crafted IFRAME tag that will cause
the malicious attachment to be executed when this part is rendered in
a vulnerable mail user agent (as described below).  The body also
contains the following text:

<dl><dd>
<b>ATTENTION!</b><br/><br/>
You can access<br/>
<b>very important</b><br/>
information by<br/>
this password<br/><br/>
<b>DO NOT SAVE</b><br/>
password to disk<br/>
use your mind<br/><br/>
now press<br/>
<b>cancel</b><br/><br/>
</dd></dl>
<p>The next two MIME parts are the attachments, <font face="monospace">decrypt-password.exe</font> and <font face="monospace">password.txt</font>.  In samples received by the
CERT/CC, the <font face="monospace">password.txt</font> file contains
the text "Your password is W8dqwq8q918213", but it does not contain any
executable code.  The malicious code is contained in the <font face="monospace">decrypt-password.exe</font> file.  We have
received variants of <font face="monospace">decrypt-password.exe</font> with the following MD5
checksums:

<font face="monospace">
<dl><dt>decrypt-password.exe</dt>
<dd>file size: 48,640 bytes md5: 5412f64b6d2279d2da89a43be9e1a001</dd>
<dd>file size: 48,640 bytes md5: cc695e7e531c18843baa0731a38e969b</dd>
<dd>file size: 35,840 bytes md5: ded90e8bd58aaab9d864cce245c57ba2</dd>
<dd>file size: 35,840 bytes md5: e4858975a01a614f08b22dc4069f6360</dd>
</dl>
</font>
</p>
<p>In the variants we have received, <font face="monospace">decrypt-password.exe</font> appears as an attachment
flagged as a MIME content type <font face="monospace">audio/x-midi</font>, which allows W32/Frethem to
exploit the vulnerability described in <a href="http://www.kb.cert.org/vuls/id/980499">VU#980499</a> and run
automatically if the message is viewed on a vulnerable system.  Even
if the system has been patched for this vulnerability, a user can
still trigger infection by opening the attachment directly.</p>
<p>When <font face="monospace">decrypt-password.exe</font> is run, it
creates the <font face="monospace">IEXPLORE_MUTEX_AABBCCDDEEFF</font>
mutex to ensure that only one copy will run at a time.  It also
gathers the current user's default SMTP server, email address, and
display name from the registry keys located at
 
<dl>
<dd>HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001  </dd>
</dl>

It uses these in conjunction with its built-in SMTP engine in order to
propagate.  It harvests email addresses from the Windows Address Book
as well as any other files with .wab, .dbx, .mbx, .mdb, and .eml
extensions.
</p>
<p>W32/Frethem attempts to install itself locally so it will run again
whenever Windows restarts.  In some variants, it does this by placing
a copy of itself in the <font face="monospace">Start
Menu\Programs\Startup</font> folder as <font face="monospace">setup.exe</font>.  A more recent variant accomplishes
this by copying itself to <font face="monospace">%WinDir%/taskbar.exe</font> and adding a registry key
named 'Task Bar' to

<dl>
<dd>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</dd></dl>

with a value of <font face="monospace">%WinDir%/taskbar.exe</font></p>
<br/>
<a name="impact"></a>
<h3>II. Impact</h3>
<p>As with other malicious code having mass-mailing capabilities,
W32/Frethem may cause denial-of-service conditions in networks where
either (a) multiple systems are infected, or (b) large volumes of
infected mail are received.</p>
<br/>
<a name="solution"></a>
<h3>III. Solution</h3>
<h4>Update Internet Explorer</h4>
<p>Users are encouraged to install the patches detailed in <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp">MS01-020</a>.
(Note: MS01-020 has been superseded by <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp">MS02-023</a>,
so users should consider installing the appropriate patches from
MS02-023 if possible)  Microsoft has published additional
recommendations for protecting against W32/Frethem at

<dl><dd><a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/frethem.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/frethem.asp</a></dd></dl>
</p>
<h4>Run and maintain an anti-virus product</h4>
<p>It is important for users to update their anti-virus software.
Most anti-virus software vendors have released updated information,
tools, or virus databases to help detect and recover from W32/Frethem.
A list of vendor-specific anti-virus information can be found in <a href="#vendors">Appendix A</a>.

<p>Many anti-virus packages support automatic updates of virus definitions. 
We recommend using these automatic updates when available.

<h4>Exercise caution when opening attachments</h4>
<p>Exercise caution when receiving email with attachments.  Users
should be suspicious of unexpected attachments, regardless of their
origin.  In general, users should also always scan files received
through email with an anti-virus product.

<p>The following section of the "Home Network Security" document provides
advice on handling email attachments securely:

<blockquote>
<a href="http://www.cert.org/tech_tips/home_networks.html#IV-A-4">
http://www.cert.org/tech_tips/home_networks.html#IV-A-4</a>
</blockquote>
<h4>Filter the email or use a firewall</h4>
<p>Sites can use email filtering techniques to delete messages
containing subject lines known to contain the malicious code, or they
can filter all attachments.


<br/>
<a name="vendors"></a>
<h3>Appendix A. - Vendor Information</h3>
<h4>Aladdin Knowledge Systems</h4>
<dl>
<dd><a href="http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10228">http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10228</a>
</dd></dl>
<h4>Central Command, Inc.</h4>
<dl>
<dd><a href="http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=020612-000007">http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/</a><br/><a href="http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=020612-000007">std_adp.php?p_refno=020612-000007</a>
</dd></dl>
<h4>Command Software Systems</h4>
<dl>
<dd><a href="http://www.commandsoftware.com/virus/frethem.html">http://www.commandsoftware.com/virus/frethem.html</a>
</dd></dl>
<h4>Computer Associates</h4>
<dl>
<dd><a href="http://www3.ca.com/virusinfo/virus.asp?ID=12569">http://www3.ca.com/virusinfo/virus.asp?ID=12569</a>
</dd></dl>
<h4>F-Secure Corp</h4>
<dl>
<dd><a href="http://www.f-secure.com/v-descs/frethem.shtml">http://www.f-secure.com/v-descs/frethem.shtml</a>
</dd></dl>
<h4>McAfee</h4>
<dl>
<dd><a href="http://vil.mcafee.com/dispVirus.asp?virus_k=99565&amp;">http://vil.mcafee.com/dispVirus.asp?virus_k=99565&amp;</a>
</dd></dl>
<h4>Microsoft</h4>
<dl>
<dd><a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/frethem.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/frethem.asp</a>
</dd></dl>
<h4>Norman Data Defense Systems</h4>
<dl>
<dd><a href="http://www.norman.com/virus_info/w32_frethem_k_mm.shtml">http://www.norman.com/virus_info/w32_frethem_k_mm.shtml</a>
</dd></dl>
<h4>Proland Software</h4>
<dl>
<dd><a href="http://www.pspl.com/virus_info/worms/fretheme.htm">http://www.pspl.com/virus_info/worms/fretheme.htm</a>
</dd></dl>
<h4>Sophos</h4>
<dl>
<dd><a href="http://www.sophos.com/virusinfo/analyses/w32frethemfam.html">http://www.sophos.com/virusinfo/analyses/w32frethemfam.html</a>
</dd></dl>
<h4>Symantec</h4>
<dl>
<dd><a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.frethem.k@mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.frethem.k@mm.html</a>
</dd></dl>
<h4>Trend Micro</h4>
<dl>
<dd><a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM.K">http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM.K</a>
</dd></dl>
<p>
You may wish to visit the CERT/CC's Computer Virus Resources Page located at:
<a href="http://www.cert.org/other_sources/viruses.html">
<p>
<blockquote>
http://www.cert.org/other_sources/viruses.html</blockquote></p></a>

<p>
<hr noshade=""/>
<b>Author(s)</b>: <a href="mailto:cert@cert.org?subject=IN-2002-05%20Feedback%20CERT%2324514">Kevin
Houle and Allen D. Householder</a><br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2002 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p>