[fruityloops] Fw: [rav-news] RAV Virus Alert - Win32/Frethem.L@mm

  • From: "xk" <xk@xxxxxxxxxxxxx>
  • To: <fruityloops@xxxxxxxxxxxxx>
  • Date: Wed, 17 Jul 2002 16:22:56 +0300

Info on how to remove this virus at the end of the message
=====================================================

RAV Virus Alert
-----------------

VIRUS ALERT! Win32/Frethem.L@mm!

July 15, 2002 - GeCAD Software is  alerting all computer  users  about a
new worm,  Win32/Frethem.L@mm, reported to  have already a high level of
spreading. See details on RAV Virus Statistics page:

http://www.ravantivirus.com/ravmsstats/

GeCAD AntiVirus researchers have already included the virus signature in
the latest update  available for all RAV products and the description of
the worm is available below.
Please  update  your  RAV  AntiVirus  to be able  to  detect  this virus
immediately.
For more details on Win32/Frethem family, please visit
www.ravantivirus.com

1. Description
2. How to recognize the worm
3. What Frethem does
4. How to prevent infection with Frethem virus family
5. How to disinfect your computer
6. RAV Outbreak Security Service

1. Description
===========
This is a version of the Win32/Frethem@mm internet worm. It was compiled
with  VisualC 6 and then  packed  with UPX and  then PE-PACK  executable
compressors to avoid detection.

2. How to recognize the worm
=======================
Frethem arrives as an attachment to an e-mail message with the following
layout:

Subject: Re: Your password!
Body:
ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel


The e-mail has two attachments - the first one is the worm's  executable
file, "decrypt-password.exe", and the second one is named
"password.txt".
The file "password.txt" contains only one text line:
"Your password is W8dqwq8q918213"

3. What Frethem does
=================
Frethem uses the IFRAME exploit (visit
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-020.asp
for more details) to execute itself  without user's specific  attachment
action.

When executed, Frethem  first  checks  the Windows  version - any  Win32
compliant  system will be  infected. Next, it checks the keyboard layout
- if the layout is Russian the worm will not replicate.

Next, it copies itself to the RECYCLED directory with the .bak
extension.
To make itself resident after system's restart, Frethem will copy either
into  the Windows  directory  as "taskbar.exe"  and  register  into  the
HKLM\Microsoft\Windows\CurrentVersion\Run registry key as "Task Bar" or,
if the USERPROFILE environment variable is available,
Frethem  will copy  into  the  StartUp  directory  as  "setup.exe".  Two
additional  files (one  called Winstat.ini file and the other win64.ini)
are created in the Windows directory.

Then,  the  payload  routine  is  called  -  if  the  Internet  Explorer
application is running,  Frethem  tries to open  connections  to various
internet sites.

To  avoid  running  multiple  copies, it creates a mutex  called
"IEXPLORE_MUTEX_AABBCCDDEEFF".

Next, after sleeping  to  make its  spreading less  suspicious,  Frethem
attempts  to send  itself to all valid  e-mail  addresses found in files
matching the following patterns: ".dbx", ".wab", ".mbx", ".eml", ".mdb".
The Internet  Explorer  cache  files are  also  checked for valid e-mail
addresses.


4. How to prevent infection with Frethem virus family
========================================
In case you already use a RAV AntiVirus product:
------------------------------------------------
a. Update your signature database: the RAV AntiVirus  products recognize
and clean the  Win32/Frethem.L@mm  worm (and its variants) starting with
July 15, 2002.
b. Enable your  RAV AntiVirus product  (see the available  documentation
for details).
c. Make sure that you already have the patch for the IFRAME
vulnerability:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

In case you do not use a RAV AntiVirus product:
-----------------------------------------------
a. Download free of charge the product best suiting your needs:
   http://www.ravantivirus.com/pages/download.php
b. Update your signature database: the  RAV AntiVirus products recognize
   and clean the  Win32/Frethem.L@mm worm  (and its variants) starting
with
July 15, 2002.
c. Enable your  RAV  AntiVirus  product (see the available documentation
   for details).
d. Make sure that you already have the patch for the IFRAME
vulnerability:

http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

5. How to disinfect your computer
==========================
Make sure you have the last virus signatures update.
In order to clean your computer registry you should also:

a. Run regedit.exe and locate the following registry key:
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
b. Delete the entry Task Bar (created by the Win32/Frethem.L@mm worm).
c. Delete the setup.exe file from your StartUp folder (click
   Start>Programs>StartUp, right-click on the setup.exe entry and select
   Delete from the pop-up menu thus displayed).
d. Delete the following files from your Windows directory:
   taskbar.exe, Winstat.ini, Win64.ini.
e. Restart your computer.
f. Scan  your  local  hard  disks using  your RAV AntiVirus  product and
   delete all the files reported as infected with the Win32/Frethem.L@mm
   worm.


6. RAV Outbreak Security Service
=========================
RAV  AntiVirus is  offering  you a free  subscription  to  RAV  Outbreak
Security Service. This  service is  activated  only in  cases  of  virus
outbrakes  and  sends  to its  subscribers  special  reports  containing
description  of brand-new viruses,  instructions on preventing infection
and desinfecting your computers.  To subscribe to this new service, send
an empty message to outbreak-subscribe@xxxxxxxxxxxxxxxxxxxxxxx



-------------------------------------------------------------------
To unsubscribe, e-mail: rav-news-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
For personal help, e-mail: lists-manager@xxxxxxxxxxxxxxxxx

Worry less! RAV is watching.

-------------------------------------------------------------------
To unsubscribe, e-mail: rav-news-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
For personal help, e-mail: lists-manager@xxxxxxxxxxxxxxxxx

Worry less! RAV is watching.




Other related posts:

  • » [fruityloops] Fw: [rav-news] RAV Virus Alert - Win32/Frethem.L@mm