Related Resources • Virus Encyclopedia • Glossary of terms

Two new variants of the Frethem worm were discovered in July 2002, one after being accidentally posted to a mailing list of antivirus and security professionals by a member of that list. In both cases, antivirus software failed to detect the worm, which takes advantage of a vulnerability in Internet Explorer - allowing it to be automatically launched on the recipient's system. Fortunately, Frethem does not have a malicious payload and is easy to remove from the affected system.

Frethem arrives in an email with the subject line "Re: Your password!" and contains the following text in the message body:

ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel

The worm carries two attachments, decrypt-password.exe and password.txt. While password.txt is a harmless text file, opening decrypt-password.exe will infect the system. Vulnerable systems will automatically open decrypt-password.exe because the email carrying the worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability. This vulnerability affects users of unpatched Internet Explorer versions 5.01 or 5.5. Such exploits are easily preventable simply by paying regular visits to WindowsUpdate.com and installing any updates marked "Critical". This particular exploit has had a patch available for it since March 2001.

The Frethem worm copies itself to the Windows directory as TaskBar.exe and modifies the registry to launch on startup. It then mass-mails itself via SMTP to addresses found in the following files:

.DBX	(miscellaneous database applications)

.WAB	(Windows Address Book)

.MBX	(Outlook v1-4, Eudora)

.EML	(Oulook Express message)

.MDP	(Microsoft Access database)