Timofon
Summary
This is a simple VBS email chain letter, much like the LoveLetter worm.
What makes this virus special is that it sends SMS short messages to GSM phones. Messages are sent to random numbers via a SMS gateway at Movistar.net.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Variant:Timofon.A
VBS/Timofonica sends email messages like this:
From: name-of-infected-user To: random-name-from-address-book Subject: TIMOFONICA Content: Es de todos ya conocido el monopolio de Telefonica pero no tan conocido los metodos que utilizo para llegar hasta este punto. En el documento adjunto existen opiniones, pruebas y direcciones web con mis informacion que demuestran irregularidades en compras de materiales, facturas sin proveedores, stock irreal, etc. Tambien habla de las extorsiones y favoritismos a empresarios tanto nacionales como internacionales. Explica tambien el por que del fracaso en Holanda y que hizo para adquirir el portal Lycos. En las direcciones web del documento existen temas relacionados para que echeis un vistazo a los comentarios, informes, documentos, etc. Como comprendereis, esto es muy importante, y os ruego que reenvieis este correo a vuestros amigos y conocidos. Attachment: TIMOFONICA.TXT.vbs
The Spanish text criticizes the monopoly of Telefonica, Spanish telecom operator, and urges users to open the attachment to see more information on the subject. It also asks users to forward this email to all their friends. The word "Timofonica" itself is a joke on Telefonica - the word "Timo" means trick in Spanish.
When the attachment is opened, the worm adds an infection marker to the registry, so it will not execute more than once. This marker is:
HKCU\Software\Microsoft\Windows\CurrentVersion\Timofonica
Then it modifies the settings of Outlook 9.0 so that sent messages will not be saved. This means that the user cannot see that the worm has sent itself.
The worm also creates "cmos.com" and modifies the registry to run it when the system is restarted:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Cmos
The CMOS.COM file is a trojan. After being run it erases CMOS memory and attempts to read MBRs from the first 4 physical hard disks. If it succeeds, the trojan erases MBRs of these hard disks and MBRs and DOS Boot Records of all extended partitions on these hard disks.
Then it copies itself to "C:\TIMOFONICA.TXT.vbs" and creates a plain text file "C:\TIMOFONICA.TXT" that contains the following text:
Comentarios =========== .... Tarifa plana de 6000 pts/mes. Extorsion. A principio de 1.998 tras un seguimiento de su gestion se descubrieron numerosas irregularidades en su gestion, amparadas hasta el momento, en el desconocimiento que nosotros tenÂÂÂÂamos sobre Internet. Compras de materiales, que nunca aparecio por ningºn lado, pero si la factura del proveedor. .... Yo pienso que si Timofonica (ke a fin de kuentas es la due±a de Terra) kiere soltar dineros para una ONG, no le hace falta hacer este tipo de acto solidario, es mas, me parece misero y ridikula la kantidad de un millon de pesetas .. Son unos ridikulos de mierda, un millon de pesetas para ellos no es nada, pero un millon de hits en sus paginas mas a final de mes supone una peke±a subidita en las acciones de Terra en Bolsa. Total, ke Terra no son las Hermanitas de los Pobres (pobres monjas, kompararlas kon los chupasangres de Timofonica), NI NOSOTROS SEMOS GILIPOLLAS !!! Podran decir ke estamos obsesionados, ke tamos en kontra de Timofonika, ke protestamos por vicio, PERO ES KE EN 3 A€ËÅ'OS KE LLEVO EN INET SOLO LA HAN KAGADO UNA VEZ TRAS OTRA !! SI ES KE SE LO GANAN A PULSO !! Lo dicho , todo lo ke g¼ele a Telefonica SUX, o en castellano tradicional , APESTA ! .... Direcciones =========== http://www.telefonica.es/ http://www.timofonica.com/ http://100scripts.islaweb.com/scripting-timofonica.html http://www.www2.labrujula.net/wwwboard/messages2/1165.html http://www.tinet.org/mllistes/pc/September_1998/msg00005.html http://area3d.area66.com/forotec/_disc1/0000015b.htm http://wwh.itgo.com/Phreaking.htm http://www.rcua.alcala.es/archives/ham-ea/msg00780.html http://www.areas.org/debate/dp/2/messages/18.html http://www.fut.es/mllistes/parlem/January_1999/msg00208.html Visita estas piginas. Estis inivitado.
Once the worm has been executed, double clicking the VBS file will open the text file that was created previously.
Finally the worm uses Outlook to send itself to all recipients in all address books.
At the same time, the worm sends emails to the SMS gateway at Moviestar.net. The number of emails is the same as the number of recipients listed in the Outlook address book.
These SMS messages are sent to random cellular phone numbers. The worm uses a list of prefixes that limits the distribution of these SMS messages. Here's the screenshot of a message as it arrives in a cell phone:
Our only reports of this virus are from Spain and it is possible that the SMS gateway it uses to send the messages only works in Spain.