I Love You Virus
The ILOVEYOU worm, also known as VBS/Loveletter and Love Bug worm, is a computer worm written in VBScript.
Description
The worm, first discovered in Hong Kong, arrived in e-mail boxes on May 4, 2000, with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs".
Two aspects of the worm made it effective:
It relied on social engineering to entice users to open the e-mail and ensure its continued propagation.
It employed a mechanism - VBScripts - that, while not entirely novel, had not been exploited to such a degree previously to direct attention to their potential, reducing the layers of protection that would have to be navigated for success.
Spread
Its massive spread moved westward as workers arrived at their offices and encountered messages generated by people from the East. Because the virus used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and so might be considered "safe", providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers.
Effects
It began in the Philippines on May 4, 2000, and spread across the world in one day (traveling from Hong-Kong to Europe to the United States), infecting 10 percent of all computers connected to the Internet and causing about $5.5 billion in damage. Most of the "damage" was the labor of getting rid of the virus. The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the worm, as did most large corporations.
This particular malware caused widespread outrage, making it the most damaging worm ever. The worm overwrote important files, as well as music, multimedia and more, with a copy of itself. It also sent the worm to everyone on a user's contact list. This particular worm only affected computers running the Microsoft Windows operating system. While any computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.
Authorship
This worm program is believed to have been written by Michael Buen. The Barok trojan used by the worm is believed to have been written by Onel de Guzman, a Filipino student of AMA Computer University in Makati, Philippines.
An international manhunt for the perpetrator finally led to a young programming student, on May 11 (one week after the virus spread), he held a news conference and said that he didn't mean to cause so much harm. For his graduation thesis in computer science, the university rejected his thesis because of its illegality, so he couldn't graduate. Helped by a group of friends called the Grammersoft Group, he made his virus and distributed it the day before the school held its graduation ceremony.
Detection
Narinnat Suksawat, a 25-year-old Thai software engineer, was the first person to write software that repaired the damage caused by the worm, releasing it to the public on May 5, 2000, 24 hours after the worm had spread. "Rational Killer", the program he created, removed virus files and restored the previously removed system files so they again functioned normally. Two months later, Narinnat was offered a senior consultant job at Sun Microsystems and worked there for two years. He resigned to start his own business. Today, Narinnat owns a software company named Moscii Systems, a system management software company in Thailand.
Architecture of the worm
The worm is written using Microsoft Visual Basic Scripting (VBS), and requires that the end-user run the script in order to deliver its payload. It will add a set of registry keys to the Windows registry that will allow the malware to start up at every boot.
The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The malware will also locate *.MP3 and *.MP2 files, and when found, makes the files hidden, copies itself with the same filename and appends a .VBS.
The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also has an additional component, in which it will download and execute an infected program called variously "WIN-BUGSFIX.EXE" or "Microsoftv25.exe". This is a password-stealing program which will e-mail cached passwords.
Variants
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Subject Line: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: Very Funny.vbs
Subject Line: fwd: Joke
Message Body: empty
Attachment: mothersday.vbs
Subject Line: Mothers Day Order Confirmation
Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
Attachment: virus_warning.jpg.vbs
Subject Line: Dangerous Virus Warning
Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
Attachment: protect.vbs
Subject Line: Virus ALERT!!!
Message Body: a long message regarding VBS.LoveLetter.A
Attachment: Important.TXT.vbs
Subject Line: Important! Read carefully!!
Message Body: Check the attached IMPORTANT coming from me!
Attachment: Virus-Protection-Instructions.vbs
Subject Line: How to protect yourself from the IL0VEYOU bug!
Message Body: Here's the easy way to fix the love virus.
Attachment: KillEmAll.TXT.VBS
Subject Line: I Cant Believe This!!!
Message Body: I Cant Believe I have Just received This Hate Email .. Take A Look!
Attachment: ArabAir.TXT.vbs
Subject Line: Thank You For Flying With Arab Airlines
Message Body: Please check if the bill is correct, by opening the attached file
Attachment: IMPORTANT.TXT.vbs
Subject Line: Variant Test
Message Body: This is a variant to the vbs virus.
Attachment: Vir-Killer.vbs
Subject Line: Yeah, Yeah another time to DEATH...
Message Body: This is the Killer for VBS.LOVE-LETTER.WORM.
Attachment: LOOK.vbs
Subject Line: LOOK!
Message Body: hehe...check this out.
Attachment: BEWERBUNG.TXT.vbs
Subject Line: Bewerbung Kreolina
Message Body: Sehr geehrte Damen und Herren!
Subject Line: Is this you in this picture?
Message Body: Is this you in this picture?
Legislative aftermath
As there were no Philippines laws against virus-writing at the time, on August 21, 2000, the prosecutors dropped all charges against Onel A. de Guzman in a resolution signed by Jovencito Zuno. The original charges brought up against de Guzman dealt with the illegal use of passwords for credit card and bank transactions. The Philippines E-Commerce Law (Republic Act No. 8792), passed on June 14, 2000, laid out penalties for cybercrime. Under the law, those who spread computer viruses or otherwise engage in cybercrime (including copyright infringement and software cracking) can be fined a minimum of 100,000 pesos (about USD$2,000), and a maximum commensurate with the damage caused, and imprisoned for six months to three years.
The HPS Virus
HPS is a polymorphic Windows 95 virus which contains this text:
< Hantavirus Pulmonary Syndrome (HPS) Virus BioCoded by GriYo / 29A >
HPS stays active in memory and infects Win32 EXE files as they are accessed, encrypting its own code with variable polymorphic encryption layer.
HPS activates on Saturdays. If a non-compressed Windows bitmap (BMP) file has been opened, the virus horizontally flips the picture. HPS patches the value DEADBABE (in hex) to the end of the bitmap header area to avoid flipping the same image again. Since non-compressed bitmap files are frequently used by Windows 95 and 98, this causes all kinds of weird effects - such as the start-up and power-down screen of Windows being "mirrorized".
The first of its kind written for the Windows 98 OS, this virus took its name from a dreaded disease transmitted by rats. Hantavirus Pulmonary Syndrome (HPS) is known to cause acute respiratory distress in the human body, but its digital namesake was nowhere near as harmful. If present on your system, the HPS virus went into action on Saturdays and flipped over uncompressed bitmaps horizontally. In plain English, it produced a mirror image of your screen. An interesting snippet about this virus: HPS hit the Web in early 1998,even before the Windows 98 operating system was available for commercial use.
The Stoned or Marijuana Virus
Name: Stoned virus (also known as the Marijuana or New Zealand virus) Types: At least four known variants Platform: MS DOS computers Damage: Not deliberately destructive--however, this virus overwrites some of boot sector/master boot record on infected disks (see text) Symptoms: May write "Your computer is now stoned. Legalize marijuana" or similar message on screen (one variant has this message removed); may create hard disk errors or the inability to boot Detection: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan Eradication: VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT and others (contact CIAC for information about these products)
The Stoned (Marijuana or New Zealand) virus is now one of the most common viruses among MS-DOS systems. The Stoned virus infects the boot sector/master boot record of floppy and hard disks. Once resident in memory, this virus may display a message similar to the following:
Your computer is now stoned. Legalize marijuana.
Although the Stoned virus apparently was not programmed to do damage, this virus can nevertheless damage a system. The Stoned virus may overwrite parts of infected disks that contain directory information or portions of user data files, specifically the boot sector of floppy disks along with Head 0, Track 0, Sector 3 on a diskette or the master boot record and Head 0, Track 0, Sector 7 on hard disks. If hard disks have last been partitioned under DOS 2, this virus overwrites portions of the File Allocation Table (FAT) as well. The result is overwriting of data files and indications of disk errors by CHKDSK. Variants of the Stoned virus produce slightly different effects:
Stoned-B: infection of the hard disk's partition table, Stoned-C: no displayed message Stoned-D: infection of high density diskettes
You can detect the Stoned virus with a variety of scan packages such as VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan. You can eradicate this virus by using packages such as VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT. If you cannot obtain a virus removal utility, we suggest you back up your applications and data from your hard disk, and then low-level format the disk to ensure that the master boot record is removed. Boot from a clean, writeprotected operating system disk, restore your system, and then restore the application and data files.
After you have cleaned your system, either with an eradication product or by formating the drive, scan again using a virus detection utility to ensure that the virus is not present. To ensure that your system does not immediately become re-infected, be sure to scan all of floppy disks for the virus as well. To clean floppies you may use one of the suggested products, or you may format new floppies on a clean system, then use the "copy" command to copy files from the infected floppies to the clean ones. Format the infected floppies to reuse them.
The Stoned virus typically spreads wherever floppy disks are shared. Infections can be easily prevented by adopting sound protection procedures. The Stoned virus infects hard disks when a PC is booted from an infected floppy. This virus does not infect applications, however. If you must boot from a floppy disk, ensure with a virus scan package that this disk is not infected, and write-protect this disk. This will prevent your boot disk from becoming infected. (Warning: under some circumstances the Stoned-infected floppy disk can infect a machine even if the computer does not have a bootable operating system on it.)
Additional Note: Basic information about the Stoned virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.
The Stoned or Marijuana Virus: A virus belonging to the stone age of the computer era, this one infected the early DOS systems through floppy disks. First seen in New Zealand in 1988, the original version did not cause any real damage; it simply displayed the message, "Your computer is stoned. Legalize Marijuana" on your screen. However the 90 odd variants of the stoned virus (with names as random as Donald Duck, Hawaii, Rostov, Smithsonian, StonedMutation and more) did do considerable damage to the Master Boot Record and File Allocation Table in your hard disk.
The PolyPoster Virus
SAN JOSE, CA/ESPOO, FINLAND, June 18, 1998--Data Fellows, one of the world's leading data security development companies, has discovered an important new macro virus known as WM/PolyPoster.
The new virus uses advanced replication methods to spread within Microsoft Word documents. Once a machine becomes infected by the virus, all Word documents manipulated in it will become infected and the virus will spread within them to new machines.
However, the most disturbing part of the virus is in it's activation routine. The virus activates at random times, and will try to send the user's Word documents to Usenet newsgroups. As an end result, the virus could post, for example, company confidential data or highly personal material in an open cyber-forum.
Data Fellows has updated its Anti-Virus product, F-Secure Anti-Virus, to handle the WM/PolyPoster virus. Additional information on the new virus and its prevalence is available. The virus does not seem to be widespread at this time.
The messages posted by the virus look like they are coming from the real user of the machine, complete with the user name and signature. The virus contains a list of newsgroups where it will attempt to post the messages. These include popular discussion groups which attract thousands of readers, including alt.hacker, alt.binaries.pictures.erotica, alt.fan.hanson, alt.windows95 and alt.skinheads.
To top it all, the posted documents are always infected by the virus, and users who view them in Word will thus get infected, allowing the virus to spread from their machines.
"This is something we've been expecting for quite some time", comments Data Fellows' Manager of Anti-Virus Research, Mr. Mikko Hypp?nen. "Viruses which activate by simply deleting data are easy to recover from--by using backups. However, there is no way to recover from an incident where a virus posts confidential documents publicly to the Internet." "We have to understand that traditional security methods like firewalls or Windows NT security settings will not prevent attacks like this from happening", Mr. Hypp?nen continues. "Viruses like WM/PolyPoster will arrive to users through normal e-mail document attachments, and will further spread from the company's network with e-mail or standard Usenet newsgroup postings. Most firewalls won't prevent this from happening."
The virus has been analyzed in detail by Data Fellows Virus Researcher, Ms. Katrin Tocheva. "This is just the beginning", she says. "We will see viruses with similar but more advanced features in the future. WM/PolyPoster still has many limitations which will restrict it's spread. For example, it is only able to post the messages to newsgroups if the user has a particular newsreader application installed."
About Data Fellows
Data Fellows is one of the world?s leading developers of data security products with offices in San Jose, California and Espoo, Finland. Its groundbreaking F-Secure product family is a unique combination of revolutionary anti-virus and globally available strong encryption software. The fully integrated F-Secure product range provides complete security solutions for enterprises of all sizes. It includes file encryption and IPSec communication encryption products, VPN gateways, SSH based secure remote management software, and a full range of anti-virus products for workstations, servers and gateways. Data Fellows is also the developer of the award winning F-PROT Professional anti-virus, which has become an integral part of the multi-engine structure of F-Secure Anti-Virus.
Data Fellows is privately owned. Since its foundation in 1988, the company?s annual growth in net sales has been over 80%. Data Fellows offers a worldwide network of technical support, training and distribution in over 80 countries. Data Fellows belongs to an elite group of companies with a triple-A rating from Dun&Bradstreet.
The Caric-A Worm
Former US president Bill Clinton provided a lot of fodder for the gossip mills during his tenor at the White House, and as late as 2002 as this famous worm proved. Also known as the Bill Clinton and the MyLife-B worm, this malicious program was activated after opening an email's attachment and displayed a cartoon of Clinton playing the saxophone equipped with a bra popping out of the sax's mouth. The writers of this worm tried to be clever by adding a line to the end of the email, supposedly from anti-virus vendor McAfee, which claimed the email contained no viruses.
The Wurmark Worm
Wurmark.L is an e-mail worm that spreads using several different languages. It also drops a variant of Rbot on the infected system.
Detailed Description
Installation to system
When run, the worm drops the following three files from its resource:
bx.exe bszip.dll ANSMTP.DLL
'bx.exe' is a copy of Rbot. 'bszip.dll' and 'ANSMTP.DLL' are used later in e-mail spreading. The work also writes the following files in the Windows system folder:
cmd.com regedit.com taskkill.com tasklist.com tracert.com ping.com netstat.com
The contents of these files are characters 'MZ'. As 'com' extension is evaluated before 'exe' in Windows program execution, this trick tries to disable the execution of above programs with 'exe' extension.
The worm executes 'bx.exe' which installs itself in system. This file is a variant of Rbot. When 'bx.exe' is run, it copies itself as 'winis.exe' in the Windows system directory and adds the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "IE Runtimes" = "%SysDir%\winis.exe"
This ensures that it will be executed at next system startup. The bot can be used as a backdoor, collecting system information, logging keystrokes, relaying spam and for various other purposes.
Wurmark.L gathers e-mail addresses from the MSN messenger and Yahoo IM client contact lists. The worm uses the dropped SMTP component (ANSMTP.DLL) to send infected messages. It can construct the messages in 7 different languages. The language is selected using the locale of the infected computer.
Here are the possible english messages:
Attachment Returned This file was rejected by the recipient
You suck! I have enclosed why you suck and your not going to like it :@
My new details
Hi i've changed email address if you would like to
keep in contact i have enclosed my new details
Party Invite!!
You have been invited to my party
please download the details and tell me if you
will be able to make it , Thanks!
Here are the possible german messages:
Zubeh r Ging Diese Akte wurde von der Empf nger zur ckgewiesen
Sie saugen! Ich habe umgeben, warum Sie saugen und Ihr Gehen nicht zu wie ihm :@
Meine neuen Details
Hallo nderte ive email address, wenn Sie zu m chten
Unterhalt im Kontakt habe ich meine neuen Details umgeben
Beteiligtes Laden!!
Sie sind zu meinem Beteiligten eingeladen worden
ddownloaden Sie bitte die Details und erkl ren Sie mir
wenn Sie in der LageSIND, es zu bilden, Dank!
Here are the possible french messages:
L'Attachement Est retourn Ce dossier a rejet par le destinataire
Vous sucez! J'ai enferm pourquoi vous sucez et votre ne pas aller comme lui :@
Mes nouveaux d tails
Bonjour l'ive a chang le email address si vous voudriez
subsistance en contact j'ai joint mes nouveaux d tails
La Partie Invitent!!
Vous avez invit ma partie t chargez
svp les d tails et me dites si vous pourrez la
faire, merci!
Possible italian messages:
Il Collegamento Ha rinviato Questa lima stata rifiutata dal destinatario
Succhiate! Ho accluso perch succhiate e vostro non andare come ad esso :@
I miei nuovi particolari
Hi il ive ha cambiato il email address se gradiste a
conservazione in contatto ho accluso i miei nuovi particolari
Il Partito Invita!!
Siete stati invitati al mio partito prego
trasferite i particolari dal sistema centrale
verso i satelliti e mi dite se potrete farlo, ringraziamenti!
Possible portuguese messages:
O Acess rio Retornou Esta lima foi rejeitada pelo receptor
Voc suga! Eu inclu porque voc suga e seu n o lhe ir como :@
Usted aspira! He incluido porqu usted aspira y el su no ir como a l :@
O Partido Convida!!
Voc foi convidado a meu partido download por
favor os detalhes e diz-me se voc pudesse o
fazer, agradecimentos!
Possible spanish messages:
El Accesorio Volvi Este archivo fue rechazado por el recipiente
Usted aspira! He incluido porqu usted aspira y el su no ir como a l :@
Mis nuevos detalles
Hi el ive cambi email address si usted quisiera a
mantener contacto he incluido mis nuevos detalles
El Partido Invita!!
Le han invitado a mi partido descarga por favor
los detalles y me dice si usted puede hacerlo,
gracias!
Possible dutch messages:
Het aanhechtsel Keerde Terug Dit bestand werd door de ontvanger afgekeurd
U zuigt! Ik heb waarom u zuigt bijgevoegd en uw gaand alsof het niet :@
Mijn nieuwe details
Hi veranderde ive e-mail aanspreekt of u van naar zou houden
Hou in contact ik heb bijgevoegd mijn nieuwe details bij
De partij Uitnodig!!
U bent naar mijn partij alstublieft download de details
uitgenodigd worden en vertel mij indien u hem zult kunnen
maken, Bedankt!
Attachment name is selected from the following list:
Party.pif File.pif Corrupt.pif details.pif Party.scr File.scr Corrupt.scr details.scr
The file is packed inside 'File.zip' which is the actual attachment in the email.
The Wurmark Worm:Appearing on the Internet in 2005, the Wurmark-F worm was disguised as a picture of a funny looking old man. Once inside your computer, the worm installed a Trojan, which in turn allowed remote hackers to take control of your infected system. Your computer was then at their beck and call and used to propagate the worm further along the Web. The worm also deleted files randomly from your system, and mailed itself to all your Outlook contacts, using your mail id.
The Brain Virus
The Brain computer virus one of the earliest PC-based computer virus that was detected on Jan 1986, but the self-propagating program was not the first computer virus. Two Pakistani brothers, Amjad and Basit Farooq Alvi, created the Brain virus to infect IBM PCs. The program may have been the first attempt at "viral" marketing: An infected machine would flash a message on the screen, advertising the company Brain Computer Services of Lahore, Pakistan.
Two unknown brothers, Amjad and Basit, from "Chahmiran" a lower middle class area of Lahore shot to prominence as a brief message started to flash across thousand of computer screens in the USA. "Welcome to the Dungeon (c) 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS. Contact us for vaccination." In no time at all, corporate America was in a fix. Unsure of what the message meant, or what its implications could be, American computer users panicked and the tiny 3.5 kilobyte virus was immediately dubbed as the first alien assault on American computer culture. The fact was, Amjad, a computer science graduate had developed software which would then be marketed by the company. The brothers also had a shady bootlegging sideline: they would copy commercial software created by other companies and sell it at a reduced price. Ironically, they soon discovered that its own original products were being pirated, which was costing them a great deal of revenue. Infuriated, Amjad came up with a form of technological blackmail: he wrote a hidden program to be included with all future products, which would have destructive effects and would lurk in a computer's RAM, copying itself to any disks used by that machine. Users would then have to pay them to remove the virus.
The first general personal computer virus was the Elk Cloner program for the Apple II created by Rick Skrenta, now the co-founder and CEO of Topix.net, in 1982. The program would infect Apple II disks and display a poem every fifth time the program ran.
The first possible computer virus is an UNIVAC program that acted as a carrier for a variant of the Animal game. The virus, though it was not called such, was dubbed PERVADE by its author, John Walker. A network administrator in the 1970s, Walker created the program to help him deal with all the requests for his variant of the ANIMAL program, a game where the computer would try to guess the animal the user was thinking about by asking yes-or-no questions. Other administrators would send him tapes on which he could copy the ANIMAL program. After mailing several tapes to interested people, Walker decided to create a program to distribute the game automatically. Whenever ANIMAL would run, the PERVADE program would look for writable directories on computer and copy itself to the directory. Within a few weeks, administrators at other companies started reporting the program on their systems. Walker went on to found AutoDesk in the 1980s, the company that behind the famous AutoCAD software.
The Skulls Trojan horse
Skulls Trojan horse shouldn't panic Symbian mobile phone owners, says Sophos
The Trojan horse displays skulls on infected mobile phones.
Sophos virus experts have advised customers not to panic, following media reports of a Trojan horse which infects cell phones.
The Troj/Skulls-A Trojan horse runs on the Symbian operating system, used by mobile phones such as the Nokia Series 60, and can display pictures of human skulls on infected devices. However, despite excitable reports from some members of the security community, Sophos has received no reports from customers affected by the Trojan horse and the threat appears to be very low.
"Some media reports have described Skulls as a virus. It isn't - it's a Trojan, and that means that it cannot spread by itself. In order to be infected you have to deliberately download the malicious file from the internet and install it on your mobile phone - even then it won't be able to spread itself to other phones from yours," said Graham Cluley, senior technology consultant for Sophos. "Users probably need to be more concerned about the large number of malicious Windows worms spreading around via email and the internet at the moment."
A message displayed at installation further reduces the chances of mobile phone owners being unknowing infected by the malicious Trojan code. The message, which is displayed on the mobile phone's screen reads as follows:
Extended Theme is an advanced Theme Manager for 7610. It uses to manage, edit, & create themes using your 7610. Tee-222 takes no responsibility for any kind of results caused by this app. Install at your own risk. Developed by Tee-222 2004.
"Everyone should take care about running unknown or unsolicited code on their computer - whether it be on a phone, a PDA, a desktop or a file server," continued Cluley.
The analysis by Sophos's team of experts has revealed that the author of the Skulls Trojan horse has threatened to write more Trojans for mobile phones in the future. The Trojan horse drops the following message on infected cell phones:
What is T-VIRUS? T-VIRUS is not a type of virus, instead it is a system file, specially designed & created for you. T-VIRUS crashes the main system of your phone, i guess it is the right time for you to go to your service center, or buy a new phone. Newer & higher version of T-VIRUS, coming soon. If you have Cabir, feel free to send it to me, i'll appriciate it very much.
The reference to "T-VIRUS" should not be confused with the the T-Virus hoax from earlier this year, which was started as part of a promotion for the Resident Evil videogame.
"Mobile devices (PDAs and phones) have been theoretically vulnerable to viruses and Trojans for some years, but there has been very little malware written," explained Cluley. "The variation in details such as OS version, firmware revision and device characteristics in the mobile arena has resulted in a "moving target" for virus writers. This is one reason why there is not currently a large threat to mobiles from malicious code. The virus writers seem much more interested in attacking the old faithful target: Computers running Microsoft Windows."
The Mosquito Trojan horse
Mobile users hit by the Trojan may be stung by an expensive phone bill
Sophos virus experts have advised customers not to panic, following media reports of a Trojan horse that affects cell phones, making them send text messages to premium rate numbers.
The Mosqit Trojan horse is written specifically to work on the Symbian operating system running on a Nokia Series 60 compatible device. The Trojan has been posted on a number of websites and peer-to-peer networks.
Hidden inside the Trojan horse is the following message:
This version has been cracked by SODDOM BIN LOADER No rights reserved. Pirate copies are illegal and offenders will have lotz of phun!!!
"If run on a cell phone this Trojan attempts to send expensive SMS text messages to premium rate numbers," said Graham Cluley, senior technology consultant for Sophos. "This hacked version of the Mosquitos game has an unpleasant sting in its tail. Whether your computer is on your desktop, or sitting in your jacket pocket, you should always exercise great caution about what you install."
The Mosquitos game runs on the Symbian operating system.
The Trojan, which is disguised as a cracked version of a game called "Mosquitos" can be installed onto modern smartphones, only after the user has seen several warnings about the possible dangers of installing unsigned applications.
"Obviously the discovery of a Trojan horse that can send expensive SMS text messages is going to generate interest in the media, but it's important to remember that the biggest virus problem remains on conventional desktop Windows PCs which are regularly assaulted by worms via the internet." continued Cluley.
The Cuebot-K Worm
The fake Windows Genuine Advantage Tool (wgavn.exe) has been named as W32.Cuebot-K worm by Sophos.
Cuebot-K propagates by sending itself as a file named "wgavn.exe" to more people in the user's "Buddy List" but without a message, Cluley said.
I just viewed Sophos' Threat analyses page - by name (letter C) but they don't have the article for Cuebot-K yet (maybe later). At the time of this writing, they got articles for Cuebot-A to Cuebot-J only (at least, it has been detected now and let's hope that all other security vendors that has malware detections for worms will be able to protect the users soon!)
@All instant messaging users, Please see: "Click a link.. get infected?" or read some tips for Safer Instant Messaging! to avoid such infection in using instant messengers. Update: Sophos got Cuebot-K article up where it confirmed that the worm W32/Cuebot-K spreads via AOL Instant Messenger. (Thanks to Microsoft MVP Harry Waldron) Published Friday, June 30, 2006 7:46 PM by donna Filed under: General Security News Comments Saturday, July 01, 2006 9:15 AM by Donna's SecurityFlash # Trend Micro named the fake Windows Genuine Advantage as BKDR_IRCBOT.DB; Published behavior diagram of malware The fake Windows Genuine Advantage Tools is now detected by Trend Micro. They also posted the behavior...