-----Original Message-----
From: UNIRAS (UK Govt CERT)
Sent: 13 June 2002 10:06
To: [EMAIL PROTECTED]
Subject: FW: UNIRAS Alert - 17/02 - SOPHOS - Malicious Software Report -
W32/Frethem-Fam
Importance: High
-----BEGIN PGP SIGNED MESSAGE-----
- --------------------------------------------------------------------------
--------
UNIRAS (UK Govt CERT) Alert Notice - 17/02 dated 13.06.02 Time: 10:00
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
Centre)
- --------------------------------------------------------------------------
--------
UNIRAS material is also available from its website at www.uniras.gov.uk
and
Information about NISCC is available from www.niscc.gov.uk
- --------------------------------------------------------------------------
--------
Title
=====
Malicious Software Report - W32/Frethem-Fam
Detail
======
UNIRAS Comment:
This particular virus and a number of variants have begun to emerge since
Tuesday.
There are indications from MessageLabs that W32/Frethem.F-mm is beginning to
cause
some problems with an acceleration in its promulgation.
It is suggested that anti-virus software vendors be consulted to ensure that
the
most recent patch releases will protect you against it.
============================================================================
====
SOPHOS Security Bulletin:
Name: W32/Frethem-Fam
Type: Win32 worm
Date: 12 June 2002
A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
July 2002 (3.59) release of Sophos Anti-Virus.
Sophos has received several reports of this worm from the wild.
Note: This IDE was updated at 10:55 GMT on 12 June 2002 to
enhance detection.
Description:
W32/Frethem-Fam is a family of email-aware worms.
At the time of writing, Sophos is aware of six variants of
W32/Frethem, all of which are detected by this identity.
One variant has been reported from the wild. It arrives in an
email with the following characteristics:
Subject line: Re: Your password!
Message text:
ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
Attached files: decrypt-password.exe, password.txt
W32/Frethem is contained in the attached EXE file, which
attempts to exploit an Outlook bug in order to run automatically
when the mail is read.
The file password.txt is not infectious -- it just contains the
text:
Your password is W8dqwq8q918213
Download the IDE file from
http://www.sophos.com/downloads/ide/fret-fam.ide
Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32frethemfam.html
Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
- ---------------------------------------------------------------------
- --------------------------------------------------------------------------
--------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
[EMAIL PROTECTED]
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
- --------------------------------------------------------------------------
--------
UNIRAS wishes to acknowledge the contributions of SOPHOS and MessageLabs for
the
information contained in this Alert.
- --------------------------------------------------------------------------
--------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the
vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical
site
to ensure that you receive the most current information concerning that
problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall
not be liable for any loss or damage whatsoever, arising from or in
connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- --------------------------------------------------------------------------
--------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQCVAwUBPQheuIpao72zK539AQEz9AP/V/bFdkoUIn3xh1NRyaylvwdSAlVX0D4t
6sjxcLkMppxMZ50OuIXa6q3pD/insn76DIeb02hOxlzFDrVQlXI5x3Ml4l3dgxOZ
2Yd1UCh2i2bZ6lBgD5OzS/nPTXfMR31J0i65VqMEM656gsF8ToSJdGcFtXTshX59
zadchVNmbA0=
=+g3/
-----END PGP SIGNATURE-----
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
