This application requires Javascript for optimal performance.

Java/Iconsuf.A!tr.dial - Released Feb 17, 2010 - Last Updated Mar 02, 2010

Alias/es

Java/RedBrowser.B (AVG), Java.SMSSend.50 (DrWeb), Java/Redbrowser.A (FProt)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

The malware attempts to send SMS messages to short numbers such as 4124.

Detailed Analysis

Java/Iconsuf.A!tr.dial is Java ME midlet which runs on any mobile phone supporting Java. It poses as a pornographic application, but, actually, does not show any adult content and merely tries to send SMS to (non-free) short numbers.



Technical Details


The trojan consists of several files, packaged in a JAR (Java archive):
  • FW.class: this is the main entry point of the midlet.
  • c.class: this is the most important class of the trojan. It displays a text requiring the end-user to be over 18, and asks him which size (percentage) of images he'd like to view. 100% corresponds to full view. As the end-user reaches percentage of 70, 75, 80, 85, 90, 93, 96, and 100, each time, the class attempts to send an SMS message to a short number.
  • d.class: this class is actually in charge of sending the SMS
  • b.class: this class is in charge of reading resources.
  • icon.png: this is the trojan's icon. The short numbers and text to use for SMS messages are hidden (encoded) at the end of the PNG.
  • there are a few other irrelevant files

The trojan typically sends SMS messages to short number 4124 with text 'elzar'.

Recommended Action

Erase the midlet and do not allow it to send SMS messages.

Reference: ID - 1536718