This morning anti-virus software vendor Trend Micro issued a yellow (medium) alert for what it refers to as Worm_Fretheme.E. Anti-virus vendors sometimes use different names for worms, and incidents of the W32/frethem.f@mm variant have also been logged in countries such as the US.
Andrew Gordon, managed services architect at Trend Micro, said that although Australian businesses seem to have avoided infection by Worm_Fretheme.E to date, there had been infection reports from several of its business units around the world, particularly the US.
Gordon said that, from what he could gather, the variant had been released in the US.
Worm_Fretheme.E is similar to other worms, in that it's an e-mail propagated .exe attachment, Gordon said. With this worm the subject line reads -Re: Your password!". The attachment is Decrypt-password.exe.
The message body reads: -ATTENTION! You can access very important information by this password. DO NOT SAVE password to disk use your mind now press cancel."
According to Gordon, Worm_Fretheme.E is fairly vanilla in that its only major difference from Worm_Fretheme.A is once you've been infected it'll try to connect to a raft of Web sites whose IP addresses are listed. Gordon said this was only to generate hits for the sites, rather than send anything to them.
Ric Byrnes, director of support and services for Asia Pacific at anti-virus vendor Network Associates, said it had the w32/frethem.f@mm variant listed as low risk.
Byrnes said the variant had been discovered on Friday, with signature file, detection cleaning and removal released yesterday. He described it as a mass mailing worm, which affected Microsoft Outlook Express users.
According to Byrnes, the worm exploited a vulnerability in Microsoft's Internet Explorer, for which a security bulletin and patch had been issued early last year.
He suggested that, in addition to updating their anti-virus software protection, users also installed the latest security patches for IE.
However, Byrnes said Network Associates had seen minimal impact from this variant, and hadn't as yet recorded any incidents of it in Australia.
Paul Ducklin, head of global support at Sophos Anti-Virus, said it had only seen a few incidents of this worm, none of which had been in this country.
Worms, viruses and vulnerabilities have been on the minds of corporate users in recent months. Late last week, a visiting security expert warned Australian businesses that Klez could continue to cause headaches over coming months. Vulnerabilities, such as that found in version 9 of BIND, have also come to light in recent weeks.
