First published: 06th June 2000VBS/Timofonica spreads via e-mail, activates via GSM phones
ESPOO, Finland, June 6, 2000 - F-Secure Corporation [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new version e-mail chain letter: the VBS/Timofonica worm. This worm is similar to the LoveLetter worm that went around the world in early May. However, this new worm activates by sending SMS short messages to random GSM phones. F-Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F-Secure.com
Allan Dyer, Chief Consultant of Yui Kee Computing commented, "This is not going to cause trouble in Hong Kong, at most we will see a small number of isolated incidents in companies with contacts in Spain."
This worm spreads by e-mail, much like LoveLetter. The e-mail messages sent by
Timofonica look like this:
From: name-of-infected-user To: random-name-from-address-bookTimofonica operates under Windows operating system and needs Microsoft Outlook to spread itself further via e-mail.
Content: Es de todos ya conocido el monopolio de Telefnica pero no tan conocido los mtodos que utiliz para llegar hasta este punto. En el documento adjunto existen opiniones, pruebas y direcciones web con ms informacin que demuestran irregularidades en compras de materiales, facturas sin proveedores, stock irreal, etc. Tambin habla de las extorsiones y favoritismos a empresarios tanto nacionales como internacionales. Explica tambin el por qu del fracaso en Holanda y qu hizo para adquirir el portal Lycos. En las direcciones web del documento existen temas relacionados para que echis un vistazo a los comentarios, informes, documentos, etc. Como comprenderis, esto es muy importante, y os ruego que reenviis este correo a vuestros amigos y conocidos. Attachment: TIMOFONICA.TXT.vbs
What makes Timofonica special is that it also sends e-mail messages to an E-mail-to- GSM gateway in Spain. As an end result, the virus might send this SMS message to thousands of random GSM numbers:
informa que: Telefnica te est engaando.
"This seems to be a political virus", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "Apparently the virus is trying to protest against the phone monopoly system in Spain - and it attempts to do this by sending the message directly to people's mobile phones."
Currently, there's no information on where the virus may have originated from. There are no obvious clues in the source code of the virus other than that it is obviously written in Spain.
So far, F-Secure has received reports of this new virus only from Spain. Also, apparently the SMS gateway will only send messages to Spanish GSM phones, limiting the exposure to Spanish users.
"This is the first ever virus to do anything with mobile phones", continues Hypponen. "However, this is not a mobile phone virus - it does not spread through phones, it just sends annoying message to them."
F-Secure Corporation launched F-Secure Anti-Virus for WAP Gateways in Febuary 2000 to protect WAP mobile phone systems against virus attacks.
A technical description of this virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/timofon.shtml