[THIN] VIRUS ALERT: FRETHEM K

From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
Date: Mon, 15 Jul 2002 12:51:26 -0400
Trend has updated this one to Medium Risk (which is usually high)
Regards,
Jim Kenzig
http://thethin.net

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM
.K

WORM_FRETHEM.K
        Risk rating: <glossary.asp>              <glossary.asp>  <glossary.asp>
        Virus type: <glossary.asp>              Worm
        Destructive: <glossary.asp>             No

Aliases: <glossary.asp>
W32.Frethem.K@mm, W32/Frethem.k@MM
Description: <glossary.asp>
This non-destructive, memory-resident variant of WORM_FRETHEM.D propagates
via email. It arrives as an attachment with the following:
Subject: Re: Your password!
Message Body: You can access very important information by this password
DO NOT SAVE password to disk use your mind
now presscancel
Attachment: DECRYPT-PASSWORD.EXE
PASSWORD.TXT
On systems with unpatched IE, the file attachments automatically execute
when this email message is previewed or opened in Microsoft Outlook and
Outlook Express.
Solution: <glossary.asp>
Terminating the Malware Program
You will need the names of the file or files detected earlier as
WORM_FRETHEM.K
        Open Windows Task Manager.
        On Windows 9x/ME systems, press
        CTRL+ALT+DELETE
        On Windows NT/2000/XP systems, press
        CTRL+SHIFT+ESC, and click the Processes tab.
        In the list of running programs*, locate ?Taskbar? or ?Taskbar.exe?.
        Select the program, then press either the End Task or the End Process
button, depending on the version of Windows on your system.
        To check if the malware process has been terminated, close Task Manager,
and then open it again.
        Close Task Manager.
*NOTE: On systems running Windows 9x/ME, Task Manager may not able to show
certain processes. Use a third party process viewer to terminate the malware
process. Otherwise, continue with the next procedure, noting the additional
instructions. Removing Autostart Entries from the Registry
Removing autostart entries from registry prevents the malware from executing
during startup. This effectively terminates the malware process from memory.
        Open Registry Editor. To do this, click Start>Run, type REGEDIT, then 
press
Enter.
        In the left panel, double-click the ff:
        HKEY_CURRENT_USER>Software>Microsoft>
        Windows>CurrentVersion>Run
        In the right panel, locate and delete the entry:
        Task Bar = %Windows%\TASKBAR.EXE
        *Where %Windows% is usually C:\Windows\System or C:\WINNT.
        Close Registry Editor.
        Restart your computer.




===================================
This weeks Sponsor:
triCerat, Inc
ScrewDrivers fxp: Self Configuring Printer Driver with Bandwidth Control
Learn more at:
http://www.tricerat.com/?page=products&product=sdfxp

===================================
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm
[THIN] VIRUS ALERT: FRETHEM K

Other related posts:
