File setup.exe in the StartUp folder (usually in C:\Windows\Start Menu\Programs\StartUp or in %USERPROFILE%\Start Menu Programs\StartUp);
File taskbar.exe in the Windows directory (usually C:\Windows or C:\Winnt).
The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus. Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.
The BitDefender AntiFrethem-EN.exe
tool does the following:
it detects all the known Frethem versions;
it deletes the files infected with Frethem;
it kills the process from memory;
it repairs the Windows registry.
You may also need to restore the affected files.
For preventing this virus to use the IFRAME
exploit apply the patch
for Internet Explorer 5.0 and 5.5.
Costin Ionescu BitDefender Virus Researcher
This is a new version of Win32.Frethem.F@mm. The virus spreads through e-mail as an attached file.
The format of an infected e-mail is (the same as in the previous versions): From: Subject: Re: Your password! Body: ATTENTION! You can access
this password DO NOT SAVE
password to disk
use your mind now press
cancel Attachments: decrypt-password.exe
The e-mail also contains the IFRAME vulnerability
so if the user reads his e-mail with an unpatched version of Microsoft Outlook or Microsoft Outlook Express, it will be infected when it views the message in the preview pane.
The virus copies itself as setup.exe
in the Startup
directory of the current profile (as shown in the Symptoms section) and in Windows directory as taskbar.exe
. Also it writes in the key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
the value Task Bar
to point to the taskbar.exe
It uses the SMTP servers of the victim and the e-mails stored in Windows Address Book
(used by Outlook Express) and in all DBX, WAB, MBX, EML, MDB, DAT
files from disk to send infected e-mails. Also e-mail addresses are searched in all files from subfolders called mail
The author wrote in the executable: ThAnks tO AUthOr! YOU ArE rEAllY grEAt mAn!
AlsO thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE mAIlEr IdEA!
nO AnY dEstrUctIvE ActIOns! dOnt wArrY, bE hAppY!
As its previous versions it does not infect computers which have installed the keybord layouts specific for Russian and Uzbek keyboards.