Antivirus vendors warn of Fretheme worm

A new virus has surfaced internationally, and businesses are warned to protect themselves before it causes more damage

Antivirus companies have warned users to install patches and signature files to protect against a worm variant that has surfaced in the US and Europe.

On Wednesday night anti-virus software vendor Trend Micro issued a yellow (medium) alert for what it refers to as Worm_Fretheme.E. Anti-virus vendors sometimes use different names for worms, and incidents of the W32/frethem.f@mm variant have also been logged in countries such as the US.

Andrew Gordon, managed services architect at Trend Micro in Australia, said that there had been infection reports from several of its business units around the world, particularly the US.

Gordon said that, from what he could gather, the variant had been released in the US.

Worm_Fretheme.E is similar to other worms, in that it's an email propagated .exe attachment, Gordon said. With this worm the subject line reads "Re: Your password!" The attachment is Decrypt-password.exe.

The message body reads: "ATTENTION! You can access very important information by this password. DO NOT SAVE password to disk use your mind now press cancel."

According to Gordon, Worm_Fretheme.E is fairly vanilla in that its only major difference from Worm_Fretheme.A is once you've been infected it'll try to connect to a raft of Web sites whose IP addresses are listed. Gordon said this was only to generate hits for the sites, rather than send anything to them.

Ric Byrnes, director of support and services for Asia Pacific at anti-virus vendor Network Associates, said it had the w32/frethem.f@mm variant listed as low risk.

Byrnes said the variant had been discovered on Friday, with signature file, detection cleaning and removal released yesterday. He described it as a mass mailing worm, which affected Microsoft Outlook Express users.

According to Byrnes, the worm exploited a vulnerability in Microsoft's Internet Explorer, for which a security bulletin and patch had been issued early last year.

He suggested that, in addition to updating their anti-virus software protection, users also installed the latest security patches for IE.

However, Byrnes said Network Associates had seen minimal impact from this variant, and hadn't as yet recorded any incidents of it in Australia.

Paul Ducklin, head of global support at Sophos Anti-Virus, said it had only seen a few incidents of this worm.

Worms, viruses and vulnerabilities have been on the minds of corporate users in recent months. Late last week, a visiting security expert warned Australian businesses that Klez could continue to cause headaches over coming months. Vulnerabilities, such as that found in version 9 of BIND, have also come to light in recent weeks.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.