A new virus author -- this one apparently upset with the telephone monopoly in Spain -- has decided to reach out and touch mobile phone users.
On Tuesday, anti-virus companies announced that the first text-paging savvy worm had started spamming users of the mobile phone system operated by the Spanish phone company Telefonica.
The firms doubted that the Timofonica worm -- which operates in a manner similar to that of the ILOVEYOU worm -- would spread far. But the latest outbreak underscored the message that viruses and worms pose a danger to more than just PCs.
"Timofonica does not infect your cell phone," stressed Dan Takata, technical training manager for anti-virus firm F-Secure Corp. "But somewhere down the line, we will see viruses that do."
ILOVEYOU on the phone
Timofonica operates in much the same way as the ILOVEYOU worm.
The worm arrives in a file called Timofonica.txt.vbs attached to a Trojan-Horse-like e-mail written in Spanish decrying the state of the telephone monopoly, Telefonica. Readers of the e-mail are directed to open the attachment for more "proof" and information regarding the phone company's alleged illegal activities. Under the default settings for Windows, the ".vbs" extension will be invisible, leading many users to believe that they file is indeed a text file.
Unlike many other viruses and worms that have attacked computers worldwide, Timofonica has a political statement to make. The worm sends a message to each address in the Microsoft Outlook address book. When translated, it reads:
Everyone is now well acquainted with Telefonica's monopoly, but less well-known are the methods the company used to arrive at that point. In the following attachment there are opinions, proof and Web addresses with additional information that demonstrate irregularities in the purchase of materials, invoices without (or from illegitimate) sources, non-existent (or counterfeit) stock, etc. This documentation speaks as well of extortion and favouritism towards national and international businessmen. They explain the reasons behind the debacle in Holland, and what the company did to acquire Lycos. There are some related themes in the web links so that you get a glimpse on the comments, commentaries, information, documents, etc. As you will understand, this is very important, and I beg you to forward this mail to your friends and contacts.
Once the attachment is opened, the worm will trigger and -- on systems using Microsoft Outlook and with the Windows Scripting Host activated (which is the default) -- will send a copy of itself to every address in the Outlook address book.
Timofonica -- a play on Telefonica, using the Spanish word "timo" for swindle or rip-off -- will also leave a file cmos.com, which will delete the computer's basic settings the next time it restarts, according to a technical analysis written by anti-virus firm Trend Micro.
Finally, the worm also sends an e-mail message to an e-mail-to-GSM gateway used by Telefonica's Moviestar service. The address is made up of a valid Telefonica area code and a random 6-digit number appended to the "@correo.moviestar.net" base address.
While many of the random GSM numbers used as e-mail addresses may not be valid, anti-virus companies worried that the worm would encourage other virus authors to follow suit.
"Our concern is that -- now that this worm has reached out and touched another device -- that other versions may do something worse," said Vincent Gullotto, director of security software maker Network Associates anti-virus labs known as AVERT.
With more emphasis being place on the Wireless Access Protocol (WAP), which allows Web-like functionality through mobile phones, and its language WHTML, the next-generation of mobile users to fall victim to a Timofonica-like virus could find themselves getting a busy signal.
