Kaspersky Threats — Timofonica

Class

Platform

Description

Technical Details

This Internet worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses stored in the MS Outlook Contacts List.

The worm is written in the scripting language “Visual Basic Script” (VBS). It works only on computers in which the Windows Scripting Host (WSH) has been installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in the case that one of these MS Outlook versions is installed.

When run, the worm sends its copies by e-mail and drops a Trojan program.

Spreading

The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message contains the following:

The Subject:

TIMOFONICA

Message body:

Es de todos ya conocido el monopolio de Telef�nica pero no tan conocido
los m�todos que utiliz� para llegar hasta este punto. En el documento adjunto
existen opiniones, pruebas y direcciones web con m�s informaci�n que demuestran
irregularidades en compras de materiales, facturas sin proveedores, stock
irreal, etc. Tambi�n habla de las extorsiones y favoritismos a empresarios
tanto nacionales como internacionales. Explica tambi�n el por qu� del fracaso
en Holanda y qu� hizo para adquirir el portal Lycos. En las direcciones web
del documento existen temas relacionados para que ech�is un vistazo a los
comentarios, informes, documentos, etc. Como comprender�is, esto es muy importante,
y os ruego que reenvi�is este correo a vuestros amigos y conocidos.

Attached file name:

TIMOFONICA.TXT.vbs

Depending on the system settings, the real extension of the attached file (“.vbs”) may not be shown. In this case, a filename of the attached file is displayed as “TIMOFONICA.TXT”.

Being activated by a user (by double clicking on the attached file), the worm opens MS Outlook, gains access to the Address Book, retrieves all of the addresses, and sends messages with its attached copy to all of them. The message
subject, body, and attached file name are the same as above.

In addition, in each sent infected message, the worm sends another message to a randomly generated (numeric) address at the host “correo.movistar.net”, for example “639867159@correo.movistar.net”. The message contains the following:

Subject:

TIMOFONICA

Body:

informa que: Telef�nica te est� enga�ando.

In actuality, the “correo.movistar.net” is an SMS gate that sends SMS messages to phone numbers. The number is the prefix of the e-mail address in the message.

As a result, the worm tries to spam people with SMS messages. The worm sends as many SMS messages to random selected numbers as there are e-mails stored in the address book (the worm sends an SMS message per each infected e-mail message), also installing a Trojan program.

Installing a Trojan program

To install the Trojan program to the system, the worm creates a “Cmos.com” file in the Windows system directory, and writes a code (that stored in worms body) into the file. The worm then registers this file in the system registry in the auto-run section:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunCmos = Cmos.com

During the next Windows startup, the Trojan takes control, erases the CMOS information, and corrupts the information on the local disks.

The worm creates the file “C:TIMOFONICA.TXT” with the following content:

Comentarios
…. Tarifa plana de 6000 pts/mes. Extorsi�n. A principio de 1.998 tras
un seguimiento de su gesti�n se descubrieron numerosas irregularidades en
su gesti�n, amparadas hasta el momento, en el desconocimiento que nosotros
ten�amos sobre Internet. Compras de materiales, que nunca apareci� por ning�n
lado, pero si la factura del proveedor. …. Yo pienso que si Timofonica (ke
a fin de kuentas es la due�a de Terra) kiere soltar dineros para una ONG,
no le hace falta hacer este tipo de acto solidario, es mas, me parece misero
y ridikula la kantidad de un millon de pesetas .. Son unos ridikulos de mierda,
un millon de pesetas para ellos no es nada, pero un millon de hits en sus
paginas mas a final de mes supone una peke�a subidita en las acciones de Terra
en Bolsa. Total, ke Terra no son las Hermanitas de los Pobres (pobres monjas,
kompararlas kon los chupasangres de Timofonica), NI NOSOTROS SEMOS GILIPOLLAS
!!! Podran decir ke estamos obsesionados, ke tamos en kontra de Timofonika,
ke protestamos por vicio, PERO ES KE EN 3 ATOS KE LLEVO EN INET SOLO LA HAN
KAGADO UNA VEZ TRAS OTRA !! SI ES KE SE LO GANAN A PULSO !! Lo dicho , todo
lo ke g#ele a Telefonica SUX, o en castellano tradicional , APESTA ! ….

Direcciones
http://www.telefonica.es/
http://www.timofonica.com/
http://100scripts.islaweb.com/scripting-timofonica.html
http://www.www2.labrujula.net/wwwboard/messages2/1165.html
http://www.tinet.org/mllistes/pc/September_1998/msg00005.html
http://area3d.area66.com/forotec/_disc1/0000015b.htm
http://wwh.itgo.com/Phreaking.htm
http://www.rcua.alcala.es/archives/ham-ea/msg00780.html
http://www.areas.org/debate/dp/2/messages/18.html
http://www.fut.es/mllistes/parlem/January_1999/msg00208.html

Visita estas p�ginas. Est�s inivitado.

Then, the worm modifies system registry to display this file content (in Notepad
window) instead of run any VBS file.

To restore normal functionalty for VBS files association you may run in Command
Prompt window following instruction:

WSCRIPT //H:WSCRIPT

Class	Email-Worm
Platform	VBS
Description	Technical Details This Internet worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses stored in the MS Outlook Contacts List. The worm is written in the scripting language “Visual Basic Script” (VBS). It works only on computers in which the Windows Scripting Host (WSH) has been installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in the case that one of these MS Outlook versions is installed. When run, the worm sends its copies by e-mail and drops a Trojan program. Spreading The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message contains the following: The Subject: TIMOFONICA Message body: Es de todos ya conocido el monopolio de Telef�nica pero no tan conocido los m�todos que utiliz� para llegar hasta este punto. En el documento adjunto existen opiniones, pruebas y direcciones web con m�s informaci�n que demuestran irregularidades en compras de materiales, facturas sin proveedores, stock irreal, etc. Tambi�n habla de las extorsiones y favoritismos a empresarios tanto nacionales como internacionales. Explica tambi�n el por qu� del fracaso en Holanda y qu� hizo para adquirir el portal Lycos. En las direcciones web del documento existen temas relacionados para que ech�is un vistazo a los comentarios, informes, documentos, etc. Como comprender�is, esto es muy importante, y os ruego que reenvi�is este correo a vuestros amigos y conocidos. Attached file name: TIMOFONICA.TXT.vbs Depending on the system settings, the real extension of the attached file (“.vbs”) may not be shown. In this case, a filename of the attached file is displayed as “TIMOFONICA.TXT”. Being activated by a user (by double clicking on the attached file), the worm opens MS Outlook, gains access to the Address Book, retrieves all of the addresses, and sends messages with its attached copy to all of them. The message subject, body, and attached file name are the same as above. In addition, in each sent infected message, the worm sends another message to a randomly generated (numeric) address at the host “correo.movistar.net”, for example “639867159@correo.movistar.net”. The message contains the following: Subject: TIMOFONICA Body: informa que: Telef�nica te est� enga�ando. In actuality, the “correo.movistar.net” is an SMS gate that sends SMS messages to phone numbers. The number is the prefix of the e-mail address in the message. As a result, the worm tries to spam people with SMS messages. The worm sends as many SMS messages to random selected numbers as there are e-mails stored in the address book (the worm sends an SMS message per each infected e-mail message), also installing a Trojan program. Installing a Trojan program To install the Trojan program to the system, the worm creates a “Cmos.com” file in the Windows system directory, and writes a code (that stored in worms body) into the file. The worm then registers this file in the system registry in the auto-run section: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunCmos = Cmos.com During the next Windows startup, the Trojan takes control, erases the CMOS information, and corrupts the information on the local disks. The worm creates the file “C:TIMOFONICA.TXT” with the following content: *Comentarios* …. Tarifa plana de 6000 pts/mes. Extorsi�n. A principio de 1.998 tras un seguimiento de su gesti�n se descubrieron numerosas irregularidades en su gesti�n, amparadas hasta el momento, en el desconocimiento que nosotros ten�amos sobre Internet. Compras de materiales, que nunca apareci� por ning�n lado, pero si la factura del proveedor. …. Yo pienso que si Timofonica (ke a fin de kuentas es la due�a de Terra) kiere soltar dineros para una ONG, no le hace falta hacer este tipo de acto solidario, es mas, me parece misero y ridikula la kantidad de un millon de pesetas .. Son unos ridikulos de mierda, un millon de pesetas para ellos no es nada, pero un millon de hits en sus paginas mas a final de mes supone una peke�a subidita en las acciones de Terra en Bolsa. Total, ke Terra no son las Hermanitas de los Pobres (pobres monjas, kompararlas kon los chupasangres de Timofonica), NI NOSOTROS SEMOS GILIPOLLAS !!! Podran decir ke estamos obsesionados, ke tamos en kontra de Timofonika, ke protestamos por vicio, PERO ES KE EN 3 ATOS KE LLEVO EN INET SOLO LA HAN KAGADO UNA VEZ TRAS OTRA !! SI ES KE SE LO GANAN A PULSO !! Lo dicho , todo lo ke g#ele a Telefonica SUX, o en castellano tradicional , APESTA ! …. Direcciones http://www.telefonica.es/ http://www.timofonica.com/ http://100scripts.islaweb.com/scripting-timofonica.html http://www.www2.labrujula.net/wwwboard/messages2/1165.html http://www.tinet.org/mllistes/pc/September_1998/msg00005.html http://area3d.area66.com/forotec/_disc1/0000015b.htm http://wwh.itgo.com/Phreaking.htm http://www.rcua.alcala.es/archives/ham-ea/msg00780.html http://www.areas.org/debate/dp/2/messages/18.html http://www.fut.es/mllistes/parlem/January_1999/msg00208.html Visita estas p�ginas. Est�s inivitado. Then, the worm modifies system registry to display this file content (in Notepad window) instead of run any VBS file. To restore normal functionalty for VBS files association you may run in Command Prompt window following instruction: WSCRIPT //H:WSCRIPT

Email-Worm.VBS.Timofonica

Technical Details

Spreading

Installing a Trojan program