A new computer virus with the tempting subject line “Re: Your password!” began worming its way around the Internet Monday. Dubbed “Frethem,” the virus is rated a medium risk by most researchers because it is spreading relatively quickly. According to antivirus firm Symantec Corp., Frethem has already infected computers inside 25 companies since its initial discovery early Monday.
A computer specialist at the National Institute of Standards and Technology, Joe Matusiewicz, said Frethem was hitting the agency very hard — one copy of the worm was arriving every minute, he said. Fortunately, systems there were stripping the worm off e-mails before they were sent to recipients.
Still, Frethem is not expected to reach outbreak status on the level of Melissa, or even the more recent Klez worm. Infection rates are not dramatic. Vincent Gullotto, vice president of McAfee’s Avert Labs, said his firm has received about 100 submissions of the worm; Symantec says it has received word of 112 individual computers that have been infected. But that number might be a little deceiving, says Steve Trilling, director of research at the Symantec.
“It’s pretty significant that 25 different corporations have been hit by this thing,” said Steve Trilling, director of research at Symantec. “For any one of those, they may only submit one report, but that could reflect many, many infections inside the company.” Symantec rates the worm’s threat as a 3 on a scale of 1 to five.
Frethem was actually released in its initial form several weeks ago, Gullotto said. But during the weekend, four variants of the worm were released, including “Frethem.L,” which hit Sunday night. That’s the variant which seemed to click, and began spreading fast in Asia a little after midnight PT, Gullotto said. Still, while McAfee raised its risk rating to medium at that point, Gullotto thinks the worm will cause only scattered problems.
“It’s well under control now,” he said at about noon PT. “I do not see an outbreak happening.”
Apparently, many Internet users have been tempted to peek at the worm because of its enticing subject line, suggesting it offers some kind of secret password information.
The body of the message says:
You can access
The e-mail includes two attachments — a harmless text file named Password.txt, and the worm Decrypt-password.exe.
But the worm takes advantage of an old flaw in Microsoft Outlook that allows it to execute even if the victim doesn’t open the infected attachment. (MSNBC is a Microsoft - NBC joint venture.) Merely previewing the message in an unpatched Outlook system is enough to cause an infection. A free patch to protect against that vulnerability is available at Microsoft’s Web site.
But even users who have patched their systems against that flaw can still become infected if they open Decrypt-password.exe.
But the message body should be enough to tip off users that the e-mail is suspicious, Trilling says.
“The message itself ought to seem a little odd,” he said. “People should realize that passwords are not things anyone other that ought to be sending you information about. ... and nobody should be asking for your password.”
On the other hand, the message seems to suggest that it offers a password that might open files and unlock secrets for a recipient willing to open, a temptation some apparently can’t resist.
“I suppose in the same way people wanted to open a picture of Anna Kournikova,” Trilling said, referring to another successful virus that appealed to Net users desire to see pictures of the heartthrob Russian tennis star.
Frethem can clog up corporate e-mail systems with extra messages, but the worm doesn’t seem to do anything else malicious to infected computers. Only Windows systems are at risk; the worm won’t infect Linux, Unix, or Macintosh systems, according to Symantec.
Consumers can protect themselves by updating their antivirus software.
The Associated Press and Reuters contributed to this report.