Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/Timofon.A@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload
Detection files published 06 Jun 2000 03:00:00
Description created 06 Jun 2000 03:00:00
Description updated 26 Nov 2002 04:05:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

VBS/Timofon.A@mm

Spreading

This worm also does something quite unusual. For every email it sends out to address book entries, it sends an email to a semi-random address at xxx-xxxxxx@correo.movistar.net (where x's denote random numbers). This email does not contain the virus, only a short text message:


Subject:


Body:

informa que: Telefónica te está engañando.

The random addresses at movistar.net seems to be SMS addresses; so it seems this worm actually sends a text message to random mobile phones.

Payload Details

At installation time, it drops a file called CMOS.COM to the Windows system directory, and adds a link to it in the registry so that it will be started during next bootup. This file will attempt to wipe the CMOS memory (normally trivial damage) and overwrite the boot sectors of the floppy and hard disks with garbage (serious damage).

Analysis

n/a

Removal

The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute.


Last Updated: 12 Nov 2015 11:06:11