Saturday, March 12, 2005

Mobile Phone Virus Spreading Via MMS

In the past, the few mobile phone viruses to have success have done so through propagation via Bluetooth technology.

Previously, malicious programs like the Cabir virus made use of a phone's Bluetooth technology. Once a phone was infected, the virus, via Bluetooth, would "search" for other mobile units where it could spread. However, this new mobile virus called Commwarrior uses both Bluetooth and multimedia messaging services (MMS) to spread itself to other phones.

Because of the method Commwarrior uses to infect others, many are considering it to be the first official mobile phone virus. The virus also runs on the mobile OS environment, Symbian Series 60.

According to F-Secure, who first presented the Commwarrior news, the mobile worm sends a MMS message to other unsuspecting users. The infected message contains the Russian text saying, "OTMOP03KAM HET!," which, roughly translated, means, "No to braindeads".

On F-Secure's weblog, the engineers offer further details by saying, "Phone viruses so far have been spreading over Bluetooth - so they only affected phones that were nearby. A MMS virus can potentially go global in minutes, just like email worms do."

Besides placing files Commwarrior files, gathering contact information, and attempting to spread itself to other phones, the amount of damage the mobile virus inflicts is minimal. The area of concern for the security industry stems from Commwarrrior's method of propagation. Because it can make use of both Bluetooth technology and MMS capabilities, spreading itself to other phones is not too difficult.

Once infected, Commwarrior places the following files within a mobile unit:


Symantec's bulletin for Commwarrior contains removal instructions in case you have a mobile phone that gets infected:

To remove SymbOS.Commwarrior.A:
Install a file manager program on the phone.
Enable the option to view the files in the system directory.
Search the drives, A through Y, for the \system\apps\commwarrior directory.
Delete the files commwarrior.exe and commrec.mdl.
Go to the \system\updates\commwarrior directory.

Delete the files commwarrior.exe, commrec.mdl, and commw.sis.

That'll take care of it!

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (

Madrid, March 11, 2005 - Four worms -the B and C variants of Kelvir, Fatso.A
and Sober.O-, and two Trojans -Ruzes.A and Downloader.BBN- will be described
in this week's report on viruses and intruders.

The first three worms -Kelvir.B, Kelvir.C and Fatso.A- in today's report are
designed to spread rapidly via the application MSN Messenger. These worms
reach computers in a message that includes a link to an Internet address. If
the user access this link, files containing the code of these worms will be
downloaded and installed on the computer.

Kelvir.B and Kelvir.C carry out various actions in the computers that they
infect, including the following:

- Send messages to the entries in the contacts in MSN Messenger.

- Download several variants of the Gaobot or Sdbot Trojans from a web page,
which allow a hacker to gain remote control of the affected computer through
IRC chat channels.

Fatso.A spreads through the instant messaging application MSN Messenger and
via peer-to-peer (P2P) file sharing programs. When it infects a computer, it
ends the processes belonging to various security tools, such as antivirus
programs and firewalls, leaving the computer vulnerable to other malware.
Fatso.A also modifies the system configuration so that it is automatically
copied to all the CD-ROMs recorded on the computer.

A curious detail about Fatso.A is that it continues the cyber-war between
virus authors that started with the appearance of the Assiral.A worm, and
which displayed a text attacking the Bropia worms. In response, Fatso.A
creates a file called "Message to n00b LARISSA.txt" on affected systems,
which contains an unfriendly message for the author of Assiral, signed by
someone called Skydevil.

The fourth worm in today's report is Sober.O, which spreads via email in a
message that can be written in German -if the extension of the mail domain
is one of the following: de (German), ch (Switzerland), at (Austria) or li
(Liechtenstein)-, or in English.

When it infects a computer, Sober.O looks for email addresses in files with
certain extensions. Then, Sober.O sends itself out using its own SMTP
engine. What's more, when it is run, Sober.O opens Notepad and displays a
text on screen.

The first of the two Trojans in today's report is Ruzes.A, which collects
email address from the files it finds on the affected computer with certain
extensions. Then, it sends these addresses to an Internet address.

Ruzes.A is being downloaded by Downloader.BBN, another Trojan that appeared
recently, which is very similar to the other variants in the family it
belongs to.

Thursday, March 10, 2005

Phishers Turn To DNS Wildcards, Cache Poisoning

By Gregg Keizer
Courtesy of

Phishers are using ever-more-sophisticated tactics, including DNS wildcards and DNS cache poisoning--the latter dubbed "pharming"--to separate consumers from their money, a British security firm said Tuesday.

According to Netcraft, criminals are now using DSN wildcards and URL encoding to create e-mail links that appear to be for legitimate sites, but actually send unwary consumers to fake Web sites, where phishers try to steal confidential information, such as bank or credit account numbers.

DNS wildcards--as in "*"--are typically used to guide mistyped or otherwise errant e-mails to their intended destination. In the past, DNS wildcards have been used by spammers, said Netcraft, but now they're showing up in phishers' toolkits.

Barclays Bank, for instance, has been hit by several Phishing attacks that use the wildcards. The spammed messages include a link that begins with the legit "" but is then followed by a long list of letters and symbols that encodes the bogus site's URL.

These wildcard links have been created at a third-party redirection service that then sends the user to the phisher's spoofed site, not the real Barclays URL, as the consumer expects. Once at the spoofed site--which looks like the real deal--the user can be tricked into entering account log-in info, which is then stolen by the hacker.

Not surprisingly, the fake site is hosted in Russia, a hotbed of phishing criminals.

Barclays knows of the trick, and has posted a warning on the front page of its banking site.

"Some customers have been receiving an e-mail claiming to be from Barclays advising them to follow a link to what appears to be a Barclays Web site, where they are prompted to enter their personal Online Banking details. Barclays is in no way involved with this e-mail and the Web site does not belong to us," the warning reads. "Barclays does not send e-mails to customers requesting security or any other confidential information."

Another advanced technique that has seen some use by phishers is DNS cache poisoning, a way to silently redirect users from real sites to spoofed copies, where dangerous spyware is loaded onto their systems. The tactic is sometimes called "pharming."

Last Week's DNS poisoning attack has been traced to a known vulnerability in Symantec's gateway-based security appliances, and allowed hackers to change information on a small number of local DNS servers, said Netcraft, to funnel real requests for major sites like and to three hacker sites.

Symantec's bug was disclosed last June, and patches were issued then. While DNS-related redirects are rare--they're difficult to pull off, said Dan Hubbard, the senior director of security at San Diego-based Websense last week--Netcraft thinks the technique will soon be used by more phishers.

"[Last week's] incident has all the earmarks of a proof-of-concept," said Netcraft in its online alert. "New strategies are of interest to phishers, whose task has been complicated by growing vigilance by banks and their customers, as well as the emergence of defensive tools. Scammers are quick at layering new techniques atop existing spoofs and social-engineering tactics."

Netcraft offers a free toolbar that installs in Microsoft's Internet Explorer browser. It traps suspicious URLs using encoded characters, displaying the hosting location so that users can, for instance, easily see that what they thought was their U.S.-based bank is somehow being hosted out of China.

Tuesday, March 08, 2005

Three new worms threaten instant messaging users,
while the cyber-war between virus authors continues -
Virus Alerts, by Panda Software (

Madrid, March 7, 2005 - Virus creators are continuing to demonstrate their
interest in instant messaging as a rapid means of spreading malicious code.
PandaLabs has detected the appearance of three new worms -Kelvir.B, Kelvir.C
and Fatso.A- programmed to spread via MSN Messenger.

The new Kelvir worms reach computer in messages with texts like: omg this is
funny! (Kelvir.B) or lol! see it! u'll like it (Kelvir.C), which include a
link to an Internet address. If the user clicks on this link, files
containing the code of these worms will be downloaded and installed on the

These then send new messages to the contacts in MSN Messenger. At
the same time, they download variants of the Gaobot or Sdbot Trojans from
another web address.

These Trojans allow a hacker to gain remote control of the affected computer
through IRC chat channels.

It is important to mention that all of the web pages from which the Kelvir
worms or the Sdbot or Gaobot Trojans are downloaded have already been
blocked, preventing them from continuing to spread.

However, Panda Software's international tech support network detected,
up until then, that Kelvir.B and Kelvir.C had spread widely to users'
computers worldwide.

The Fatso.A worm sends messages containing links to a page from which a file
containing a copy of its code is downloaded and run. When it gets into a
computer, it sends itself to all the contacts in MSN Messenger and downloads
other files to the system root directory.

These files can have names like:

Annoying crazy frog getting killed.pif
Crazy frog gets killed by train!.pif
Fat Elvis! lol.pif.

This worm is also capable of spreading through P2P applications like KaZaA.

To do this, it creates copies of itself in the shared directories used by these

Fatso.A also ends the processes of various security programs running in
memory, leaving the computer vulnerable to other possible attacks.

What's more, Fatso.A continues with the cyber-war between virus authors that
started with the appearance of the Assiral.A worm, which showed a text
attacking the Bropia worms. In response, Fatso.A creates a file called
Message to n00b LARISSA.txt on affected systems, which contains an
unfriendly message to the Assiral author and signed by someone called

Luis Corrons, head of PandaLabs, warns: "It is probable that new worms that
spread via MSN Messenger will appear over the next few hours, and therefore,
it is highly recommendable to take precautions with messages received
through this application.

The situation is getting more dangerous for users of instant messaging
applications. As well as these new malicious code, the 20 variants of the
Bropia worm and the two variants of the Stang worm detected over the
last few days also use this means to spread.

What's more," he adds, "cyber-criminals are showing a growing interest in instant
messaging and there is a tendency to launch blended threats. The two new
Kelvir worms, for example, not only aim to spread as widely as possible but
also try to install other malware on computers. These could be used to carry
out all kinds of actions, such as online fraud using confidential data
stolen from affected computers."

Due to the possibility of receiving malicious code through instant messaging
applications, Panda Software advises users to have reliable, updated
anti-malware installed, and to be wary of all messages received, regardless
of the source. Panda Software clients already have the updates available to
detect and disinfect these new worms and the other malicious code that use
instant messaging to spread.

Panda Software's clients can already access the updates for installing the
new TruPrevent(tm) Technologies along with their antivirus protection,
providing a preventive layer of protection against new malicious code. For
users with a different antivirus program installed, Panda TruPrevent(tm)
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive
protection that acts while the new virus is still being studied and the
corresponding update is incorporated into traditional antivirus programs,
decreasing the risk of infection. More information about TruPrevent(tm)
Technologies at:

In addition, users can scan their computers online for free with Panda
ActiveScan available at

For further information about the Kelvir, Fatso, Assiral, Bropia and Stang
worms visit Panda Software's Virus Encyclopedia at