Hello! Who's speaking? - The Virus!

05 Jun 2000
Virus News

Kaspersky Lab Int. reports the appearance of a new virus "I-Worm.Timofonica," which spams MOBILE PHONES.

Cambridge, UK, June 6, 2000 - Kaspersky Lab Int., a fast-growing international anti-virus software development company, announces the discovery of a new Internet worm, "Timofonica," which spams mobile phones connected to the Spanish operator "Movistar" with annoying SMS-messages. The virus has been reported to be in the wild in Spain.

Detection and dis-infection routines for this worm have been added to the latest AntiViral Toolkit Pro (AVP) daily update.

This Internet worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends the same number of messages as to as many addresses that are stored in the MS Outlook Contacts List.

In addition, in each sent infected message, the worm sends another message to a randomly generated (numeric) address at the host "correo.movistar.net." In actuality, the "correo.movistar.net" is an SMS gate that sends SMS messages to phone numbers. The number is the prefix of the e-mail address in the message.

As a result, the worm tries to spam people with SMS messages. The worm sends the same number of SMS messages to randomly selected numbers as there are e-mails stored in the address book (the worm sends an SMS message per each infected e-mail message).

The worm is written in the scripting language "Visual Basic Script" (VBS). It works only on computers which have been installed with the Windows Scripting Host (WSH). In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in the case that one of these MS Outlook versions is installed.

When run, the worm sends its copies by e-mail and drops a Trojan program.

Technical description