W32/Frethem@MM Virus Family - U-M Virus Busters

The W32/Frethem@MM Virus Family Strikes Fast; Fizzles

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
Last significant update: 15 July, 2002

This information can be freely reproduced in any medium, as long as the information is unmodified.

The Frethem virus affects only PC computers running Windows; Macintosh users, and users of other non-Windows operating systems cannot be infected by this virus. These users may, however, see plenty of infected email from Frethem, so its "annoyance factor" is large.

The first Frethem variant was discovered in the first week of June 2002; more common variants were discovered on 12 July 2002 (Frethem.K) and 14 July (Frethem.L) VirusScan users with current antivirus definitions have been protected against the original Frethem since 05 June, 2002, and Frethem in general since 14 July 2002. [Note that Frethem.K was recognized "generically" by the VirusScan drivers, even before the virus writer created it -- but that Frethem.L required a special definition release on 15 July, 2002.]

Although we saw many Frethem cases on 15 July, 2002, we expect this virus to be a "fast burner": it will disappear rapidly, and be a problem only for a day or two.

The main features of Frethem.K and Frethem.L are these:

The Subject: field is Re: Your password!

The body text begins:

   ATTENTION

   You can access
   very important
   information by
   this password

It uses a security flaw in unpatched Internet Explorer applications that allows the attachment to be executed w/o opening it.

Frethem harvests email addresses from Outlook and Windows addressbooks. It does not affect users of the Pine emailer

What should you do if:

If know you are infected by Frethem?
Easy: disinfect with current, top quality antivirus software.
You receive email you suspect is infected with Frethem -- or other viruses, for that matter?
That's up to you; for suggestions, see our What to do with suspicious email and full email headers documents. If you decide to relay this information, pass it along to your competent antivirus support personnel.
U-M folks: you can send this information to the U-M Virus Busters Team, of course.
You receive email saying that you are sending Frethem-infected email?
Again: disinfect, using top-quality antivirus software.
In any event, you should check that your computer has top quality antivirus software installed, and that it is current, and that you do not have any viruses on your machine.

For technical info on the Frethem family, see e.g. Network Associates write-ups on Frethem.L (leaving our site) Frethem.L (leaving our site) or F–Secure's Frethem write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/frethem.html
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

-BPB

Last updated: Monday, 15-Jul-2002 16:41:14 EDT.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 15 July, 2002 16:00 EDT