Info on how to remove this virus at the end of the message ===================================================== RAV Virus Alert ----------------- VIRUS ALERT! Win32/Frethem.L@mm! July 15, 2002 - GeCAD Software is alerting all computer users about a new worm, Win32/Frethem.L@mm, reported to have already a high level of spreading. See details on RAV Virus Statistics page: http://www.ravantivirus.com/ravmsstats/ GeCAD AntiVirus researchers have already included the virus signature in the latest update available for all RAV products and the description of the worm is available below. Please update your RAV AntiVirus to be able to detect this virus immediately. For more details on Win32/Frethem family, please visit www.ravantivirus.com 1. Description 2. How to recognize the worm 3. What Frethem does 4. How to prevent infection with Frethem virus family 5. How to disinfect your computer 6. RAV Outbreak Security Service 1. Description =========== This is a version of the Win32/Frethem@mm internet worm. It was compiled with VisualC 6 and then packed with UPX and then PE-PACK executable compressors to avoid detection. 2. How to recognize the worm ======================= Frethem arrives as an attachment to an e-mail message with the following layout: Subject: Re: Your password! Body: ATTENTION! You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancel The e-mail has two attachments - the first one is the worm's executable file, "decrypt-password.exe", and the second one is named "password.txt". The file "password.txt" contains only one text line: "Your password is W8dqwq8q918213" 3. What Frethem does ================= Frethem uses the IFRAME exploit (visit http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp for more details) to execute itself without user's specific attachment action. When executed, Frethem first checks the Windows version - any Win32 compliant system will be infected. Next, it checks the keyboard layout - if the layout is Russian the worm will not replicate. Next, it copies itself to the RECYCLED directory with the .bak extension. To make itself resident after system's restart, Frethem will copy either into the Windows directory as "taskbar.exe" and register into the HKLM\Microsoft\Windows\CurrentVersion\Run registry key as "Task Bar" or, if the USERPROFILE environment variable is available, Frethem will copy into the StartUp directory as "setup.exe". Two additional files (one called Winstat.ini file and the other win64.ini) are created in the Windows directory. Then, the payload routine is called - if the Internet Explorer application is running, Frethem tries to open connections to various internet sites. To avoid running multiple copies, it creates a mutex called "IEXPLORE_MUTEX_AABBCCDDEEFF". Next, after sleeping to make its spreading less suspicious, Frethem attempts to send itself to all valid e-mail addresses found in files matching the following patterns: ".dbx", ".wab", ".mbx", ".eml", ".mdb". The Internet Explorer cache files are also checked for valid e-mail addresses. 4. How to prevent infection with Frethem virus family ======================================== In case you already use a RAV AntiVirus product: ------------------------------------------------ a. Update your signature database: the RAV AntiVirus products recognize and clean the Win32/Frethem.L@mm worm (and its variants) starting with July 15, 2002. b. Enable your RAV AntiVirus product (see the available documentation for details). c. Make sure that you already have the patch for the IFRAME vulnerability: http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp In case you do not use a RAV AntiVirus product: ----------------------------------------------- a. Download free of charge the product best suiting your needs: http://www.ravantivirus.com/pages/download.php b. Update your signature database: the RAV AntiVirus products recognize and clean the Win32/Frethem.L@mm worm (and its variants) starting with July 15, 2002. c. Enable your RAV AntiVirus product (see the available documentation for details). d. Make sure that you already have the patch for the IFRAME vulnerability: http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp 5. How to disinfect your computer ========================== Make sure you have the last virus signatures update. In order to clean your computer registry you should also: a. Run regedit.exe and locate the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run. b. Delete the entry Task Bar (created by the Win32/Frethem.L@mm worm). c. Delete the setup.exe file from your StartUp folder (click Start>Programs>StartUp, right-click on the setup.exe entry and select Delete from the pop-up menu thus displayed). d. Delete the following files from your Windows directory: taskbar.exe, Winstat.ini, Win64.ini. e. Restart your computer. f. Scan your local hard disks using your RAV AntiVirus product and delete all the files reported as infected with the Win32/Frethem.L@mm worm. 6. RAV Outbreak Security Service ========================= RAV AntiVirus is offering you a free subscription to RAV Outbreak Security Service. This service is activated only in cases of virus outbrakes and sends to its subscribers special reports containing description of brand-new viruses, instructions on preventing infection and desinfecting your computers. To subscribe to this new service, send an empty message to outbreak-subscribe@xxxxxxxxxxxxxxxxxxxxxxx ------------------------------------------------------------------- To unsubscribe, e-mail: rav-news-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx For personal help, e-mail: lists-manager@xxxxxxxxxxxxxxxxx Worry less! RAV is watching. ------------------------------------------------------------------- To unsubscribe, e-mail: rav-news-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx For personal help, e-mail: lists-manager@xxxxxxxxxxxxxxxxx Worry less! RAV is watching.