Frethem worm hits unpatched systems and naive users

The Frethem worm should be old news that's not worthy of coverage, but it has recently made a comeback by hitting unpatched systems. It's also luring users to open its attachment, which can infect even properly patched systems.

A couple of new variants of the Frethem mass-mailing worm are spreading, and it's succeeding only because some users and administrators are careless. This worm should have been stopped in its tracks more than a year ago when Microsoft released a patch that prevents it from automatically infecting systems by opening the e-mail that carries the infection. Apparently, a lot of people didn’t patch the affected versions of Internet Explorer, and the fast spread of this worm shows that security supervisors can’t let down their guard even years after a vulnerability is patched.

Frethem comes in several varieties, including w32.frethem.m@mm, frethem.A@mm, and frethem.B@mm. The two versions of Frethem now spreading aren’t very different from the earlier versions. If you applied the year-old Internet Explorer patch, merely opening an e-mail containing the Frethem infection can’t automatically launch the worm.

But some people are catching Frethem even though they have patched Explorer because there is a second way you can catch it—by opening the attachments. That’s what makes it so frustrating for security experts who see that Frethem is raging through some parts of the Internet despite the readily available patch. Even if a system is patched correctly, users who haven’t learned not to open strange e-mail attachments can still trigger an infection.

Frethem includes its own SMTP mail engine, and once it infects a system, the worm collects e-mail addresses from Outlook Express (.DBX), Windows Address Book (.WAB), .MBX, .EML, and .MDB files. It then spreads itself by mailing to all of the addresses that it locates. Social engineering is required to get people to open the initial e-mail.

The subject line, “RE: Your Password!” is an eye-catching phrase that makes the message itself tempting to open, especially if an administrator was careless enough to get his or her system infected and the e-mails carry that address in the From: line.

But if a user goes only as far as opening the e-mail, and the system is patched properly, nothing will happen. The second part of the social engineering attack comes in trying to trick the user into opening one of the attachments. It does this by using interesting filenames, Decrypt-password.exe and Password.txt. Even if IE has been properly patched, opening the .exe file will infect the system.

The Password.txt file is simply a text file containing a dummy message purporting to be a password. This is also reasonably clever social engineering because even people who are careful about opening an executable attachment might well open one they thought was plain text. If they do so, it will seem innocuous enough that they may decide to open the other file and thus infect the system.

The automatic infection vector, the one that will infect a system if the initial e-mail is opened even without any action regarding either attachment, exploits a MIME header vulnerability that has been patched in current IE versions but that still exists in any unpatched version of 5.01 or 5.5. If you have installed Service Pack 2 for IE, the patch has already been applied, but—and this is the important thing to tell users—it blocks only the automatic infection vector. Even with the patch installed, Frethem can spread from people opening the attachment. Any patch of the MIME vulnerability just blocks the worm from opening the Decrypt-password.exe automatically.

A lot of users haven’t been properly educated to understand that even when their administrator keeps all the software properly patched and uses a good antivirus program, dangerous e-mails can still wind up in their Inbox, and they must still exercise caution at all times.

Frethem.K and a more dangerous version labeled Frethem.L are both being found in the wild at this time. According to a report in The Mercury News, the recent outbreak of Frethem was first seen in Japan, where a mail server at the National Aerospace Laboratory was infected, causing e-mail service to be lost for several hours while the worm was cleared out of the system.

Risk level—low to moderate
Symantec rates distribution as high for this worm but lists damage as low because it doesn’t delete files or attempt to alter them. However, the report out of Japan, which said an important government agency’s mail server was down for hours due to this worm, should remind administrators that even relatively innocuous worms and viruses such as Frethem should always be taken seriously. They still cost time and money to remove and can often disrupt network services.

Internet Explorer version 5.01 or IE 5.5 without SP2, and most other early IE versions running on any version of Windows are vulnerable. IE 6.0 is not vulnerable to the MIME flaw, but every Windows system is vulnerable if someone actually opens the attachment.

Mitigating factors
Microsoft Security Bulletin  MS01-020 covered this vulnerability, and the patch has been available for more than a year. There was nothing wrong with this patch. Another Microsoft Security Bulletin, MS01-027, includes an updated patch that also addresses this threat, as does SP2. Many antivirus scanners will detect this worm even if they haven’t got the latest signature update files.

This worm would be old news if its recent rapid spread didn’t demonstrate that a large number of systems are still vulnerable one way or another and that many users still make a habit of opening strange attachments. Frethem shouldn’t be making the kind of headway that is being reported. Newer versions of Internet Explorer are not vulnerable, nor are those with the proper patches, unless users fail to follow best practices when it comes to opening strange e-mails.

Avoid Frethem by applying the patch and teaching users not to open e-mail attachments they aren’t expecting. Network Associates (McAfee) has a description of the latest version of this worm, along with a step-by-step manual removal procedure. Symantec offers the W32.Frethem Removal Tool.

As cumbersome as it is, the only real way to manage these periodic outbreaks of social-engineering attacks that entice people to open attachments is to institute a strict policy in your organization that no legitimate attachment will ever be sent without some codeword in the subject line or unless another e-mail is sent in advance to confirm that a file is on its way.

Recommendation: Set up an attachment code
The most successful tactic I’ve found for my clients is a strict policy prohibiting opening any attachment without a special code word, number, or symbol in the subject line (such as "ATH: Here's that Word document"). It's simple enough to do, and it can eliminate the problem of users opening e-mails simply because they came from someone they know (whose e-mail address may have been hijacked by a virus). Of course, if you implement this approach, you also must have a clear security policy in place and some stiff penalties if users ignore the rules.

Final word
Frethem is, in truth, a relatively harmless infection, although it could seriously harm your reputation if you haven't patched your systems. If you fall prey to this pest, either your software isn’t being updated and patched correctly or your users haven’t been properly trained about opening strange e-mails and their attachments.

If your system is infected in spite of having the patch installed, take this as a teaching opportunity for users and a way to show management that even when network administrators do everything right, employees still need periodic reminders of best practices.

Editor's Picks

Free Newsletters, In your Inbox