A new virus author -- this one apparently upset with the telephone monopoly in Spain -- has decided to reach out and touch cell phone users.
On Tuesday, anti-virus firms announced that the first text-paging worm had started spamming users of the cell phone system operated by the Spanish phone company Telefonica.
The firms doubted that the Timofonica worm -- which operates in a manner similar to that of the recent 'ILOVEYOU' worm -- would spread far. But the latest outbreak underscored the message that viruses and worms pose a danger to more than just PCs.
"Timofonica does not infect your cell phone," stressed Dan Takata, technical training manager for anti-virus firm F-Secure Corp. "But somewhere down the line we will see viruses that do."
Timofonica operates in much the same way as the ILOVEYOU worm. The worm arrives in a file called Timofonica.txt.vbs attached to a Trojan horse-like e-mail written in Spanish decrying the state of the telephone monopoly, Telefonica. Readers of the e-mail are directed to open the attachment for more "proof" and information regarding the phone company's alleged illegal activities. Under the default settings for Windows, the ".vbs" extension will be invisible, leading many users to believe that they file is indeed a text file.
Unlike many other viruses and worms that have attacked computers worldwide, Timofonica has a political statement to make. The worm sends a message to each address in the Microsoft Outlook address book. When translated, it reads:
Everyone is now well-acquainted with Telefonica's monopoly, but less well-known are the methods the company used to arrive at that point. In the following attachment there are opinions, proof and Web addresses with additional information that demonstrate irregularities in the purchase of materials, invoices without vendors, fictitious stock, etc. This documentation also speaks of extortion and favoritism towards national and international businessmen. They explain the reasons behind the fiasco in Holland, and what the company did to acquire Lycos. There are some related themes in the Web links, so you can take a look at the comments, commentaries, information, documents, etc. As you will understand, this is very important, and I beg you to forward this mail to your friends and contacts.
Once the attachment is opened, the worm will trigger and -- on systems using Microsoft Outlook and with the Windows Scripting Host activated (which is the default) -- will send a copy of itself to every address in the Outlook address book.
Timofonica -- a play on Telefonica, using the Spanish word "timo" for swindle or rip-off -- will also leave a file named cmos.com, which will delete the computer's basic settings the next time it restarts, according to a technical analysis written by anti-virus firm Trend Micro Inc.
Finally, the worm also sends an e-mail message to an e-mail-to-GSM gateway used by Telefonica's Moviestar service. The address is made up of a valid Telefonica area code and a random 6-digit number appended to the "@correo.moviestar.net" base address.
While many of the random GSM numbers used as e-mail addresses may not be valid, anti-virus firms worried that the worm would encourage other virus authors to follow suit. "Our concern is that now that this worm has reached out and touched another device that other versions may do something worse," said Vincent Gullotto, director of security software maker Network Associates anti-virus labs, known as 'Avert'.
With more emphasis being placed on the Wireless Access Protocol (WAP), which allows Web-like functionality through cell phones, and its language WML, the next-generation of cell phone users to fall victim to a Timofonica-like virus could find themselves getting a busy signal.
It seems that most of the world is still reeling from the shock of the cutely and seductively named ILOVEYOU virus. Go with Peter Coffee to AnchorDesk UK and read the news comment to find out how easy it was and the perils that lie ahead.
Take me to the Virus Workshop