New worm preys on password promise

A new mass-mailing worm affecting Windows systems that arrives masquerading as a password has the potential to spread rapidly, though security insiders say it's not particularly destructive.

A new mass-mailing worm affecting Windows systems that arrives masquerading as a password has the potential to spread rapidly, though security insiders say it's not particularly destructive.

Frethem.K is the latest variant of a worm that was first spotted in June, but unlike its predecessors it seems to be making progress, antivirus experts said. Antivirus vendors started fielding calls about the worm early Monday morning, mostly from their European customers. (The worm's name comes from Free Desktop Themes.)

Frethem.K takes advantage of a long-known vulnerability in Microsoft Internet Explorer that allows the worm to execute without the recipient actually opening the message. A user of an unpatched system would only need to view the message in Preview Pane for the worm to execute.

FOR MORE INFORMATION:
Best Web Links on malicious code

Recent news exclusive exploring password policy

Microsoft's security bulletion (including the patch) for the MIME vulnerability


Feedback on this story? Send your comments to News Writer Edward Hurley

When infecting a system, Frethem.K harvests e-mail addresses from the system's Windows Address Book and from dbx, .wab, .mbx, .eml, and .mdb files stored on the hard-drive. It then blasts out itself using its own SMTP engine.

The worm doesn't have a destructive payload. Its mass mailing activity could slow corporate networks especially if multiple infected employees are inadvertently blasting e-mails around, Trilling said.

Klez by contrast was able to harvest e-mail addresses from a host of files from Excel spreadsheets to cached Web pages. An infected system could literally pump out 1000's of infected e-mails.

Technically, Frethem.K is nothing unique, but its social engineering -- using a password to get recipients to open the e-mail -- is just good enough to entice some unsuspecting recipients to bite. "Social engineering is more than what you name a virus," said David Perry, global director of education for Trend Micro.

E-mail recipients may have been lulled into a false sense of security by the relatively dry period for viruses, Perry said. Also the tone of the message accompanying the worm may be official enough to trick some users into opening it.

Additionally, Frethem.K also lucked out and landed in mailboxes over the weekend. Unsuspecting workers coming in on Monday morning to a glut of e-mails may have opened the message with a little less skepticism than on another day.

Users should be suspicious of the message, as most companies don't send passwords by e-mail, said Steve Trilling, director of research for Symantec Security Response. "It is pretty usual to have a password emailed. It's really meant to be individual to the user," he said.

The message carrying Frethem.K arrives looking like this:

Subject:
 Re: Your password!
Message text:
You can access very important information by this password
DO NOT SAVE password to disk use your mind
now press cancel
Attached files:
decrypt-password.exe
password.txt

In additional to the worm, the message also contains a non-malicious text file containing a bogus message:

 Your password is W8dqwq8q918213 

The writer of Frethem.K has been busy recently, as multiple variants have popped up over the last few days. "It appears the writer made some tweaks, recompiled it and sent it out," said Roger Thompson, technical director of malicious code research for TruSecure.

Most of the changes are probably just bug fixes, nothing significant., Thompson said. Experts can tell by looking at the timestamp the compiler left on the code. The size of the variants differ as well.

The best way to prevent infection from Frethem.K is updating antivirus definitions. All the major vendors have updated signature files. A stop-gap measure would be stripping all executable files at the gateway. Virus prevention experts tend to recommend blocking such files anyway as they don't often have legitimate business uses.

A less drastic step would be doing content filtering for the worm's subject line, which is the same for every variant, Perry said.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close