Virus Database

I-Worm.Frethem

Description I-Worm.Frethem
I-Worm.Frethem
The Frethem family of Email worms spreads via the Internet as attachments to infected emails, the worms themselves are Windows PE EXE files about 31-35KB in length - depending the worm version. The are compressed by PE-Pack and UPX (double compression) and written in Microsoft Visual C++.
The worms have "backdoor" routines (see below).
Infected messages have following Subject, Message body and attached files, depending on worm version:
Frethem.a:
Subject:Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message:

Hello!
Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes!
You can open attach with web site and samples! Enjoy it!!!
Attached:

www.freedesktopthemes.com
Frethem.b,c,f,h
Subject: Re: Your password!
Message:
[empty]
Attachments: Your password placed in password.txtall yourpassword.exe...password.txt

Frethem.d:

Subject: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message: Hi! There is good news for you! Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes! You can open attach with web site and samples! It's really cool! Enjoy it!!! Yours, %sender%
Attached: www.xpdesktopthemes.com
Frethem.e,g,j,k,l
Subject: Re: Your password!
Message:
ATTENTION!
You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel

Attached: decrypt-password.exe, password.txt
The attached EXE file (attached to the email messages) is the worm itself, the attached TXT file(if it is present) contains false text, such as:

"Your password is W8dqwq8q918213"
Running
Depending on worm version, the Internet Explorer security breach (IFRAME vulnerability) is exploited or the attached file may not contain any "security tricks". The worm activates from infected email only when a user clicks on the attached file, or it may start automatically when an infected message is opened or previewed (in vulnerable systems).
Once run the worm then installs itself to the system and runs its spreading routine.
Installing
First the worm checks the keyboard layouot set, in case there is Russian or Uzbek keyboard support (codepage 419 or 843) the worm just exits without taking any action.
If no such keyboard support is present, the worm then copies itself to the Windows startup directory under the setup.exe name:
%windir%Start MenuProgramsStartupsetup.exe
If the Startup directory doesn't exist, variants "k", "l", "m" copy themselves in the Windows directory under the "taskbar.exe" name.
Thus the worm is run with each Windows boot-up.
Spreading
The worm uses SMTP protocol to send e-mail messages. It looks for e-mail addresses in WAB (Windows Address Book) files and in *.DBX email database files, and sends infected messages to these addresses.
Backdoor
The backdoor routines randomly select a URL and then follow it to the site. The list of possible URLs is stored (hard-coded) into the worm body. There are from 10 (in minor worm versions) to 50 (in major versions) URLs in the list.
The worm then downloads a specific file from the selected URL and processes commands written there. The main backdoor features are:

the ability to execute requested commands on infected system
download EXE file(s) from that site and run it ("upgrading" worm with new version)
On activation of the backdoor routine the worm creates, in the Windows directory, two data files:

STATUS.INI and WIN64.INI
Other The worm body contains the text:
thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE IdEA! nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!
This text may be written to the file winstat.ini in the Windows directory.

Check other viruses! Be aware! Use Antiviral Software

Immune.536

Description Immune.536

It is a dangerous memory resident parasitic virus. It hooks INT 15h, 19h, 21h and writes itself to the end of COM files that are executed. The virus has a bug, and halts the system rather than infecting the files. By hooking INT 15h,19h the virus tries to disable switching to the protected mode. The virus contains the text strings:
UNIX
Immune v2.0

Implant.6128

Description Implant.6128

These are very dangerous memory resident polymorphic and stealth multipartite viruses. They affect .COM, .EXE and .SYS files as well as MBR of the hard drive and boot sector of floppy disks.
When an infected file is executed, the virus writes itself to the MBR of the hard drive and returns control to the host program. While loading from infected disk the virus hooks INT 12h, 13h, 1Ch, wait for DOS loading process and hooks INT 21h. Then it writes itself to the end of files that are closed, renamed and on Get/Set File Attributes DOS call. On execution a program the virus stores its name and infects on termination. On opening and reading from infected file the virus runs its stealth routine. On writing to infected files the virus disinfects it. If one of achieving utilities (ARJ, PKZIP, PKLITE, LHA) or BACKUP is active, the virus turns off its stealth routines. When TBAV or SCAN anti-virus is executed, the virus adds new options to the command line, and turns off anti-virus memory scanning. When Windows is executed, the virus adds a parameter to the command line to disable 32-bit disk access, it is logical for multipartite virus.
Some of "Implant" viruses also do not infect anti-virus programs that have names that begin with: 'TB', 'SC', 'F-', 'GU', as well as files with names that contain characters: '0' - '9', 'V', 'MO', 'IO', 'DO', 'IB'.
By hooking INT 13h the virus realizes its stealth routine on accessing to infected disk sectors. On reading from A: drive boot sector the virus infects it. To save its code the virus formats extended track on disk.
On June 4th the virus erases hard drive sectors, beeps and displays the texts:
<<< SuckSexee Automated Intruder >>>
Viral Implant Bio-Coded by Griyo/29A

In 1997 the "Implant.6128" virus was sent by somebody to Internet conferences in the NENA.EXE file that displays a picture of a naked girl.

Home