Weekly Report on Viruses and Intruders – Mytob Worm Affecting Cell Phones

The new variants of Mytob are S, U, V and W, and they have backdoor Trojan characteristics. One of the greatest dangers of this worm lies in its ability to modify system “hosts” files. It does this to prevent users connecting to the web pages of certain antivirus developers. Because of this modification, infected users won’t be able to receive the updates needed to eliminate this malicious code.

The worm spreads using the LSASS vulnerability, through shared network resources and by email, getting the addresses from files on the system, avoiding certain addresses, including Panda Software’s.

The new TruPreventTM technologies included in Panda Software’s solutions to protect against unknown malware detect these variants of Mytob without the need to be updated. Thanks to these technologies, numerous malicious code are blocked before they can infect computers with Panda solutions installed.

This week also witnessed the appearance of Cabir.J, a worm that affects cell phones running the Symbian 60 series operating systems. It propagates via Bluetooth and MMS (Multimedia Messaging Service) messages and requires users to respond to a security warning in order to spread.

When it is run, Cabir.J searches for other devices in the proximity connected using Bluetooth. If it finds any, it sends a copy of itself in an SIS file.

Cabir.J uses the following procedure to spread using MMS messages:

It monitors SMS and MMS messages received on the phone.

It responds automatically to messages received with an MMS message including a copy of itself in a file called INFO.SIS.

To prevent infection from Cabir, it is advisable to disable Bluetooth when it is not necessary and not to install anything on the system unless you have downloaded or requested it specifically.

In addition to malware, in this report we are also looking at several websites that try to attract user by offering cheap flights. However the real aim of these web pages is not to sell anything, but to get users to enter their credit card details which will then fall into the hands of cyber-crooks.

The scam starts when an unsuspecting user searches for airline ticket offers with an Internet search engine, such as Google. This takes them to an Internet address offering cheap flights. The site includes a form asking the user to enter personal details, including their credit card number, expiry date and verification value (CVV). Once these details have been entered, to prolong the illusion, an error page is displayed telling the user that the transaction has been unsuccessful, and offering instructions on how to pay for the ticket.

Until now, the websites identified -which had been disabled by the authorities- offered airline tickets, but it is highly likely that there will be many others offering any other type of “bargain” with the same objective.

Don't miss