Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Frethog


Threat Risk LOW LOW
Destructivity Unknown UNKNOWN
Payload Steal information
Detection files published
Description created 16 Apr 2010 01:55:00
Description updated 16 Apr 2010 01:55:00
Malware type TROJAN
Alias PWS:Win32/Frethog (Microsoft)
W32/Frethog (Sophos)
Trojan.PSW.Frethog (McAfee)
Spreading mechanism IRC



On execution, W32/Frethog malware creates  a copy of  itself with a random name under the %WINDIR% or %SYSTEM% or %TEMP%  folders, dependent on the variant. It creates  .dll files with random names under the %SYSTEM%  folder, which is then injected into the legitimate Windows process explorer.exe. The code checks whether any online games like World of Warcraft, Gamania etc. is running on the infected system.  It uses different runtime packers to reduce detection rate. It also creates a value, which varies dependent on the variant, under the key “RUN? in order to execute the spy on every startup of Windows. Some variants of W32/Frethog may create autorun.inf  file in order to execute the malware whenever the drive is viewed.
The payload differs dependent on the variant of the W32/Frethog.

Payload Details





Norman’s antivirus products are in general able to remove all malicious software that is detected. Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Lumension Malware Cleaner. Please use the latest version of this program from the link below if your Lumension antivirus is unable to clean the infection.

Last Updated: 12 Nov 2015 11:06:10