Timofon

Classification

Malware

Worm

VBS

Timofon, Timofonica

Summary

This is a simple VBS email chain letter, much like the LoveLetter worm.

What makes this virus special is that it sends SMS short messages to GSM phones. Messages are sent to random numbers via a SMS gateway at Movistar.net.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Variant:Timofon.A

VBS/Timofonica sends email messages like this:

From: name-of-infected-user
 To: random-name-from-address-book
 Subject: TIMOFONICA
 Content:
 Es de todos ya conocido el monopolio de Telefonica pero no tan conocido
 los metodos que utilizo para llegar hasta este punto. En el documento
 adjunto existen opiniones, pruebas y direcciones web con mis
 informacion que demuestran irregularidades en compras de materiales,
 facturas sin proveedores, stock irreal, etc. Tambien habla de las
 extorsiones y favoritismos a empresarios tanto nacionales como
 internacionales. Explica tambien el por que del fracaso en Holanda y que
 hizo para adquirir el portal Lycos. En las direcciones web del documento
 existen temas relacionados para que echeis un vistazo a los comentarios,
 informes, documentos, etc. Como comprendereis, esto es muy
 importante, y os ruego que reenvieis este correo a vuestros amigos y
 conocidos.
 Attachment: TIMOFONICA.TXT.vbs

The Spanish text criticizes the monopoly of Telefonica, Spanish telecom operator, and urges users to open the attachment to see more information on the subject. It also asks users to forward this email to all their friends. The word "Timofonica" itself is a joke on Telefonica - the word "Timo" means trick in Spanish.

When the attachment is opened, the worm adds an infection marker to the registry, so it will not execute more than once. This marker is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Timofonica

Then it modifies the settings of Outlook 9.0 so that sent messages will not be saved. This means that the user cannot see that the worm has sent itself.

The worm also creates "cmos.com" and modifies the registry to run it when the system is restarted:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Cmos

The CMOS.COM file is a trojan. After being run it erases CMOS memory and attempts to read MBRs from the first 4 physical hard disks. If it succeeds, the trojan erases MBRs of these hard disks and MBRs and DOS Boot Records of all extended partitions on these hard disks.

Then it copies itself to "C:\TIMOFONICA.TXT.vbs" and creates a plain text file "C:\TIMOFONICA.TXT" that contains the following text:

Comentarios

 ===========

 ....

 Tarifa plana de 6000 pts/mes.

 Extorsion.

 A principio de 1.998 tras un seguimiento de su gestion se

 descubrieron numerosas irregularidades en su gestion, amparadas

 hasta el momento, en el desconocimiento que nosotros ten­amos

 sobre Internet.

 Compras de materiales, que nunca aparecio por ningºn lado, pero si

 la factura del proveedor.

 ....

 Yo pienso que si Timofonica (ke a fin de kuentas es la due±a de

 Terra) kiere soltar dineros para una ONG, no le hace falta hacer

 este tipo de acto solidario, es mas, me parece misero y ridikula

 la kantidad de un millon de pesetas ..

 Son unos ridikulos de mierda, un millon de pesetas para ellos no

 es nada, pero un millon de hits en sus paginas mas a final de mes

 supone una peke±a subidita en las acciones de Terra en Bolsa.

 Total, ke Terra no son las Hermanitas de los Pobres (pobres

 monjas, kompararlas kon los chupasangres de Timofonica), NI

 NOSOTROS SEMOS GILIPOLLAS !!!

 Podran decir ke estamos obsesionados, ke tamos en kontra de

 Timofonika, ke protestamos por vicio, PERO ES KE EN 3 A€˜OS KE

 LLEVO EN INET SOLO LA HAN KAGADO UNA VEZ TRAS OTRA !! SI ES KE SE

 LO GANAN A PULSO !!

 Lo dicho , todo lo ke g¼ele a Telefonica SUX, o en castellano

 tradicional , APESTA !

 ....

 Direcciones

 ===========

 http://www.telefonica.es/

 http://www.timofonica.com/

 http://100scripts.islaweb.com/scripting-timofonica.html

 http://www.www2.labrujula.net/wwwboard/messages2/1165.html

 http://www.tinet.org/mllistes/pc/September_1998/msg00005.html

 http://area3d.area66.com/forotec/_disc1/0000015b.htm

 http://wwh.itgo.com/Phreaking.htm

 http://www.rcua.alcala.es/archives/ham-ea/msg00780.html

 http://www.areas.org/debate/dp/2/messages/18.html

 http://www.fut.es/mllistes/parlem/January_1999/msg00208.html

 Visita estas piginas. Estis inivitado.

Once the worm has been executed, double clicking the VBS file will open the text file that was created previously.

Finally the worm uses Outlook to send itself to all recipients in all address books.

At the same time, the worm sends emails to the SMS gateway at Moviestar.net. The number of emails is the same as the number of recipients listed in the Outlook address book.

These SMS messages are sent to random cellular phone numbers. The worm uses a list of prefixes that limits the distribution of these SMS messages. Here's the screenshot of a message as it arrives in a cell phone:

Our only reports of this virus are from Spain and it is possible that the SMS gateway it uses to send the messages only works in Spain.