Java/Iconsuf.A!tr.dial - Released Feb 17, 2010 - Last Updated Mar 02, 2010
|
Alias/esJava/RedBrowser.B (AVG), Java.SMSSend.50 (DrWeb), Java/Redbrowser.A (FProt) |
Detection Availability
|
Visible SymptomsThe malware attempts to send SMS messages to short numbers such as 4124. |
Detailed AnalysisJava/Iconsuf.A!tr.dial is Java ME midlet which runs on any mobile phone supporting Java. It poses as a pornographic application, but, actually, does not show any adult content and merely tries to send SMS to (non-free) short numbers.
Technical Details
The trojan consists of several files, packaged in a JAR (Java archive):
- FW.class: this is the main entry point of the midlet.
- c.class: this is the most important class of the trojan. It displays a text requiring the end-user to be over 18, and asks him which size (percentage) of images he'd like to view. 100% corresponds to full view. As the end-user reaches percentage of 70, 75, 80, 85, 90, 93, 96, and 100, each time, the class attempts to send an SMS message to a short number.
- d.class: this class is actually in charge of sending the SMS
- b.class: this class is in charge of reading resources.
- icon.png: this is the trojan's icon. The short numbers and text to use for SMS messages are hidden (encoded) at the end of the PNG.
- there are a few other irrelevant files
The trojan typically sends SMS messages to short number 4124 with text 'elzar'.
|
Recommended ActionErase the midlet and do not allow it to send SMS messages. |
