February 2005 - Posts
From Newsday:
SANTA MONICA, CALIF. -- A California store recently offered a free -- although unwanted -- giveaway: The first known American occurrence of a slowly spreading cell-phone virus.
The Cabir virus was spotted on a cell phone in a Santa Monica, [California] store, according to F-Secure, a Finnish security company.
The virus could wirelessly infect nearby phones. Susceptible devices are certain smartphones, a combination of a handheld computer and cell phone. The phones must have Bluetooth, wireless data transfer.
MyDoom.BB, or .AX at Symantec, has been upgraded to a medium risk rating and is spreading rather quickly. More information available here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ax@mm.html
http://vil.mcafeesecurity.com/vil/content/v_131856.htm
Extended coverage tomorrow afternoon.
Few, if any, major holidays pass without a new virus to go along with them. Typically, these worms are not significantly more successful than non-themed worms. There are a few exceptions: Navidad for Christmas 2000 and Ska (Happy99) for New Years 1999 and, of course, the infamous Loveletter, which coincided with Valentine's Day 2000.
Now, gathering up bits from around the wire, we find news of a new Valentine's Day worm, a variant of the Kipis family. Per Symantec, which refers to the worm as Kipis.J:
W32.Kipis.J@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on an infected computer. It also attempts to spread through file-sharing networks.
Of course, love sells, but sex sells better - Kipis.J sends itself either with a cheery Valentine's Day message (i.e. “Happy Valentine's Day,” “Present,” or “for my love...”) or a suggestion of pornography within (”Re: My porno”). There are also a number of simply generic subjects (such as “here,” “hi,” and “your”.) The attachments are a mix of suggestive and romantic messages, ending with either .exe, .scr, or .zip.
Kipis.J is a fairly complex worm. It adds obviously pornographic files into P2P programs' Shared Files folders, seek email addresses from a range of files, and avoid sending itself to emails that could be those of antivirus companies or spam trappers. Interestingly, it does not appear to disable antivirus programs.
Fortunately, it does not appear that Kipis.J is spreading significantly in the field at this time. I will watch it for future developments, but the good news is so far it is looking like Valentine's Day will be relatively calm.
Sophos also mentions another worm, VBS/VBSWG.D, as being a threat. From PC Pro in the United Kingdom:
According to UK security company Sophos, Kipis-H and VBSWG-D are already running amok, playing on hopes that inboxes will be filled with impassioned admissions of desire, come next Monday.
This is not the VBSWG.D that other antivirus companies isolated back in 2001 (more commonly known as “Independance Day”) but rather a new VBScript mass-mailer discovered recently. Sophos has information about it here. The worm comes in an email with the subject “First Love Story ...!!!” with FirstLove.VBS attached. The message body reads two lines: “Hi,” and “Check the attachment”.
As with Kipis.J, it appears that VBSWG.D is not spreading significantly and may simply be mentioned because it was a Valentine's Day related worm, even if it is not actually being found in the field.
Having a safe Valentine's Day and be careful out there. :)
We may just now be seeing the first notable outbreak of an MSN Messenger worm.
Bropia.G, known by various other letters depending on the antivirus company, is a variant of the slightly successful Bropia family. Like past variants, .G spreads via MSN Messenger to any contact that changes their status (i.e. Busy to Away). Also like previous variants, it contains a backdoor (a version of Spybot). McAfee has details here.
Previous versions heavily utilized the Windows interface in an attempt to spread. It seems this one is more successful. Secunia rates this worm as a medium risk, as does Trend Micro. Infected users will have the file SEXY.JPG dropped to their root folder. It contains an image that is probably intended to be humorous (courtesy of Trend Micro):
This will be displayed after the worm is executed.
File names for this threat are:
- Bedroom-thongs.pif
- Hot.pif
- LMAO.pif
- LOL.scr
- Naked_drunk.pif
- New_webcam.pif
- ROFL.pif
- underware.pif
- Webcam.pif
Targeted users will see a window like the following when a the worm tries to send itself to them under the name of the infected user (courtesy of Trend Micro, click for larger view):
The worm also tries to spread to users of Windows Messenger. However, this fails, because built-in security features prevent it. The following text will instead be seen, with naked_drunk.pif being the file name:
The transfer of the file “naked_drunk.pif” has been blocked because it could be unsafe.
Worms like these generally spread amongst communities of MSN users, and regionalization of infection is not uncommon. According to Trend Micro statistics, 89.7% of infections so far originate from Asia. In fact, Taiwan alone counts for 60.8% of infections worldwide.
I can, however, attest to this worm being in the wild in the United States, though, which currently accounts for 6% of infections. I received a report from a user two days ago who said her computer was trying to send Webcam.pif. This was after the worm was isolated, but before a description was posted.
Fortunately, like past versions of Bropia, the author did not take the time to add a start-up routine. Rebooting the machine seems to remove this worm from memory. This means that it is likely the worm will become nearly extinct within a few months, depending on how quickly it is currently spreading.
In the meantime, though, it is worth keeping careful watch on.
F-Secure reports of a new Trojan horse for Symbian Series 60 mobile phones by the name of Locknut, also known as Gavno (this is not an official name as it is an offensive term in Russian). It is a malicious SIS file that effectively prevents any use of the smartphone features. Infected phones will look something like this (click image for a larger view):
Some claims have been made that this Trojan is capable of disabling the calling function of the phone itself, something which would be a first, but F-Secure's testing reveals that this was not true under a contained environment.
Some versions of Locknut may also contain a sample of Cabir.B, another mobile phone threat, as well; these samples are more or less the equivilant of a .ZIP file on a PC that contains two different Trojan horses. There is no “blending” of the two threat. Due to an error, this is all irrelevant, though; Locknut disables the smartphone functionality which, ironically, disables Cabir.B as well. Even if the machine is cleaned of Locknut, Cabir.B still will not work as it is dropped in the wrong folder on the phone. If the user was to manually execute Cabir.B after disinfecting Locknut, it would spread like any normal case of Cabir.B.
F-Secure has created a number of removal tools for these new mobile phone threats, which are otherwise extremely difficult to remove. The .ZIP version can be downloaded here, and the SIS file version here. In cases were Cabir.B is also dropped, F-Secure recommends their own F-Secure Mobile Anti-Virus for Series 60 and Series 90. A free trial can be found here.
It is important to note that so far there has been little threat from mobile phone Trojans and this threat is unable to spread on its own. Few infections have been reported.