New Versions of The Worm "Frethem" Are Loose On The Internet!

17 Jul 2002
Virus News

Kaspersky Lab warns all computer users of a large number of registered infections from new modifications to the "Frethem" Internet-worm (modifications K and L). For penetration "Frethem" exploits a 1 1/2-year-old vulnerability in the Internet Explorer security system (the IFRAME-vulnerability). Due to this vulnerability a system becomes infected at the moment the infected e-mail is read. The message has the following characteristics:
Subject: Re: Your password! Text: ATTENTION! You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancel Attached files: decrypt-password.exe, password.txt
After an infected file is launched the worm registers itself in the Windows system registry's start-up directory and scans the system for files of the WAB (Windows Address Book) and DBX formats and sends out its copies to e-mail addresses found there. In addition "Frethem" installs on infected machines a utility allowing hidden remote administration, giving an intruder the chance to manage a users system and install new versions of the "Frethem" worm family. The procedure defending against this malicious program has already been added to the Kaspersky Anti-Virus database. More detailed information about the "Frethem" family of Internet-worms can be found in the Kaspersky Virus Encyclopedia. Kaspersky Lab strongly recommends users install the Internet Explorer patch that eliminates the browser's security system vulnerability. This will allow users to protect their computers against not only current threats but future worms as well, which target the IFRAME-vulnerability. You can download the free-of-charge patch (included in the service pack) here.