A new mass-mailing worm affecting Windows systems that arrives masquerading as a password has the potential to spread rapidly, though security insiders say it's not particularly destructive.
Frethem.K is the latest variant of a worm that was first spotted in June, but unlike its predecessors it seems to be making progress, antivirus experts said. Antivirus vendors started fielding calls about the worm early Monday morning, mostly from their European customers. (The worm's name comes from Free Desktop Themes.)
Frethem.K takes advantage of a long-known vulnerability in Microsoft Internet Explorer that allows the worm to execute without the recipient actually opening the message. A user of an unpatched system would only need to view the message in Preview Pane for the worm to execute.
When infecting a system, Frethem.K harvests e-mail addresses from the system's Windows Address Book and from dbx, .wab, .mbx, .eml, and .mdb files stored on the hard-drive. It then blasts out itself using its own SMTP engine.
The worm doesn't have a destructive payload. Its mass mailing activity could slow corporate networks especially if multiple infected employees are inadvertently blasting e-mails around, Trilling said.
Klez by contrast was able to harvest e-mail addresses from a host of files from Excel spreadsheets to cached Web pages. An infected system could literally pump out 1000's of infected e-mails.
Technically, Frethem.K is nothing unique, but its social engineering -- using a password to get recipients to open the e-mail -- is just good enough to entice some unsuspecting recipients to bite. "Social engineering is more than what you name a virus," said David Perry, global director of education for Trend Micro.
E-mail recipients may have been lulled into a false sense of security by the relatively dry period for viruses, Perry said. Also the tone of the message accompanying the worm may be official enough to trick some users into opening it.
Additionally, Frethem.K also lucked out and landed in mailboxes over the weekend. Unsuspecting workers coming in on Monday morning to a glut of e-mails may have opened the message with a little less skepticism than on another day.
Users should be suspicious of the message, as most companies don't send passwords by e-mail, said Steve Trilling, director of research for Symantec Security Response. "It is pretty usual to have a password emailed. It's really meant to be individual to the user," he said.
The message carrying Frethem.K arrives looking like this:
Subject:Re: Your password!Message text:You can access very important information by this password DO NOT SAVE password to disk use your mind now press cancelAttached files:decrypt-password.exe password.txt
In additional to the worm, the message also contains a non-malicious text file containing a bogus message:
Your password is W8dqwq8q918213
The writer of Frethem.K has been busy recently, as multiple variants have popped up over the last few days. "It appears the writer made some tweaks, recompiled it and sent it out," said Roger Thompson, technical director of malicious code research for TruSecure.
Most of the changes are probably just bug fixes, nothing significant., Thompson said. Experts can tell by looking at the timestamp the compiler left on the code. The size of the variants differ as well.
The best way to prevent infection from Frethem.K is updating antivirus definitions. All the major vendors have updated signature files. A stop-gap measure would be stripping all executable files at the gateway. Virus prevention experts tend to recommend blocking such files anyway as they don't often have legitimate business uses.
A less drastic step would be doing content filtering for the worm's subject line, which is the same for every variant, Perry said.