Beware of Frethem Worm

In the latest press release, Panda Software warns users of a new e-mail virus: W32/Frethem.K. While this e-mail worm carries a rather low threat level, it is spreading rapidly throughout Europe (this is possibly a questionable assumption). The e-mail message carries only one subject field: “Re: Your password!” and exploits the vulnerability in Microsoft Internet Explorer versions 5.01 and 5.5. This older vulnerability allows the virus to run automatically when the user views the message in the preview pane.

Update 2.50 am 17 July 2002 – Added BitDefender Anti Frethem utility under solutions section, BitDefender Frethem analysis and press release and RTVR statistics are refreshed)

Worm information:

Panda Software on HNS: E-Mail Message “Your Password!” Is A Virus
Kaspersky Labs on HNS: I-Worm.Frethem.e Analysis
Sophos: W32/Frethem-Fam Analysis
Trend Micro: Worm_Frethem.K Analysis
Symantec: W32.Frethem.K@mm Analysis
McAfee: W32/Frethem.l@MM Analysis
Eset (NOD32): Win32/Frethem.L Worm Analysis
BitDefender: Win32.Frethem.J/K@mm Analysis
BitDefender on HNS: High risk of spreading for the Frethem virus
ZDNet: New worm: Wanna know a secret?


1) This worm exploits the same vulnerability in Internet Explorer 5.01 and 5.5 that Klez did. Microsoft released a security bulletin and patch for this problem on March 29, 2001. Advisory was titled “Microsoft Security Bulletin (MS01-020) – Incorrect MIME Header Can Cause IE to Execute E-mail Attachment” (link is here). As noted in this bulletin: The above patch has been supserseded by the IE 5.01 and 5.5 patches discussed in MS01-027 (link is here)
2) As the subject line of an e-mail containing this worm is always the same (Re: Your password!) it should be easy to use content filtering for stopping this worm crawl the gateways.
3) Besides infecting and carrying out other destructive actions, W32/Frethem.K makes certain changes to the configuration of your computer as it modifies the Windows registry. Panda Software offers a tool that makes it possible to restore the original configuration of your computer: PQREMOVE (link is here). Contact information is needed for downloading this freeware tool.
4) BitDefender released Anti Frethem tool which is available from our software section:

BitDefender RTVR statistics [Last 7 days section – 2.51 am 17 July 2002):

Virus Name Infected files Infected systems
Win32.Frethem.J@mm 2714 509

Don't miss