Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Malware :: in200205.htm

W32/Frethem Malicious Code



CERT Incident Note IN-2002-05: W32/Frethem Malicious Code

W32/Frethem Malicious Code

Release Date: July 17, 2002

Systems Affected


Overview

The CERT/CC has received a number of reports of malicious code known as W32/Frethem. It affects systems running Microsoft Windows with unpatched versions of Internet Explorer and mail clients that use IE's HTML rendering engine (including Outlook and Outlook Express). Patched systems (or systems that do not use IE's HTML rendering engine for mail) may also be affected if a user manually executes the malicious code. A number of variants of this code have been identified.


I. Description

W32/Frethem is a malicious Windows program with an internal SMTP mail delivery agent. W32/Frethem arrives as an email message containing three MIME parts (multipart/alternative; boundary=L1db82sd319dm2ns0f4383dhG) with the subject "Re: Your password!" The body of the message is contained in the first MIME part and includes a specially crafted IFRAME tag that will cause the malicious attachment to be executed when this part is rendered in a vulnerable mail user agent (as described below). The body also contains the following text:
ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel

The next two MIME parts are the attachments, decrypt-password.exe and password.txt. In samples received by the CERT/CC, the password.txt file contains the text "Your password is W8dqwq8q918213", but it does not contain any executable code. The malicious code is contained in the decrypt-password.exe file. We have received variants of decrypt-password.exe with the following MD5 checksums:

decrypt-password.exe
file size: 48,640 bytes md5: 5412f64b6d2279d2da89a43be9e1a001
file size: 48,640 bytes md5: cc695e7e531c18843baa0731a38e969b
file size: 35,840 bytes md5: ded90e8bd58aaab9d864cce245c57ba2
file size: 35,840 bytes md5: e4858975a01a614f08b22dc4069f6360

In the variants we have received, decrypt-password.exe appears as an attachment flagged as a MIME content type audio/x-midi, which allows W32/Frethem to exploit the vulnerability described in VU#980499 and run automatically if the message is viewed on a vulnerable system. Even if the system has been patched for this vulnerability, a user can still trigger infection by opening the attachment directly.

When decrypt-password.exe is run, it creates the IEXPLORE_MUTEX_AABBCCDDEEFF mutex to ensure that only one copy will run at a time. It also gathers the current user's default SMTP server, email address, and display name from the registry keys located at

HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001
It uses these in conjunction with its built-in SMTP engine in order to propagate. It harvests email addresses from the Windows Address Book as well as any other files with .wab, .dbx, .mbx, .mdb, and .eml extensions.

W32/Frethem attempts to install itself locally so it will run again whenever Windows restarts. In some variants, it does this by placing a copy of itself in the Start Menu\Programs\Startup folder as setup.exe. A more recent variant accomplishes this by copying itself to %WinDir%/taskbar.exe and adding a registry key named 'Task Bar' to

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with a value of %WinDir%/taskbar.exe


II. Impact

As with other malicious code having mass-mailing capabilities, W32/Frethem may cause denial-of-service conditions in networks where either (a) multiple systems are infected, or (b) large volumes of infected mail are received.


III. Solution

Update Internet Explorer

Users are encouraged to install the patches detailed in MS01-020. (Note: MS01-020 has been superseded by MS02-023, so users should consider installing the appropriate patches from MS02-023 if possible) Microsoft has published additional recommendations for protecting against W32/Frethem at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/frethem.asp

Run and maintain an anti-virus product

It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and recover from W32/Frethem. A list of vendor-specific anti-virus information can be found in Appendix A.

Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

Exercise caution when opening attachments

Exercise caution when receiving email with attachments. Users should be suspicious of unexpected attachments, regardless of their origin. In general, users should also always scan files received through email with an anti-virus product.

The following section of the "Home Network Security" document provides advice on handling email attachments securely:

http://www.cert.org/tech_tips/home_networks.html#IV-A-4

Filter the email or use a firewall

Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or they can filter all attachments.

Appendix A. - Vendor Information

Aladdin Knowledge Systems

http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10228

Central Command, Inc.

http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/
std_adp.php?p_refno=020612-000007

Command Software Systems

http://www.commandsoftware.com/virus/frethem.html

Computer Associates

http://www3.ca.com/virusinfo/virus.asp?ID=12569

F-Secure Corp

http://www.f-secure.com/v-descs/frethem.shtml

McAfee

http://vil.mcafee.com/dispVirus.asp?virus_k=99565&

Microsoft

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/frethem.asp

Norman Data Defense Systems

http://www.norman.com/virus_info/w32_frethem_k_mm.shtml

Proland Software

http://www.pspl.com/virus_info/worms/fretheme.htm

Sophos

http://www.sophos.com/virusinfo/analyses/w32frethemfam.html

Symantec

http://securityresponse.symantec.com/avcenter/venc/data/w32.frethem.k@mm.html

Trend Micro

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM.K

You may wish to visit the CERT/CC's Computer Virus Resources Page located at:

http://www.cert.org/other_sources/viruses.html


Author(s): Kevin Houle and Allen D. Householder

This document is available from: http://www.cert.org/incident_notes/IN-2002-05.html


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH