Java/Iconsuf.A!tr.dial

Alias/esJava/RedBrowser.B (AVG), Java.SMSSend.50 (DrWeb), Java/Redbrowser.A (FProt)
Release DateFeb 17, 2010
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

The malware attempts to send SMS messages to short numbers such as 4124.

Detailed Analysis

Java/Iconsuf.A!tr.dial is Java ME midlet which runs on any mobile phone supporting Java. It poses as a pornographic application, but, actually, does not show any adult content and merely tries to send SMS to (non-free) short numbers.



Technical Details


The trojan consists of several files, packaged in a JAR (Java archive):
  • FW.class: this is the main entry point of the midlet.
  • c.class: this is the most important class of the trojan. It displays a text requiring the end-user to be over 18, and asks him which size (percentage) of images he'd like to view. 100% corresponds to full view. As the end-user reaches percentage of 70, 75, 80, 85, 90, 93, 96, and 100, each time, the class attempts to send an SMS message to a short number.
  • d.class: this class is actually in charge of sending the SMS
  • b.class: this class is in charge of reading resources.
  • icon.png: this is the trojan's icon. The short numbers and text to use for SMS messages are hidden (encoded) at the end of the PNG.
  • there are a few other irrelevant files

The trojan typically sends SMS messages to short number 4124 with text 'elzar'.
Description Last Updated Date: Mar 02, 2010
Reference: ID - 1536718