Four new Trojans on the loose
Three aimed at mobiles.
By Nancy Gohring, IDG News Service | Published: 16:47, 23 January 2006
Four new Trojans are on the loose, three aimed at mobile phones and a fourth at PCs, anti-virus companies have warned.
The mobile phone worms are disguised as legitimate applications and spread via Bluetooth or multimedia messages and affect phones running Symbian. The computer worm spreads via e-mail and purports to offer pornography.
The phone worms - Bootton.E, Pbstealer.D and Sendtool.A - have a low infection rate at the moment. The first was spotted last week by F-Secure and Symantec and is perhaps the most potentially crippling of the three to those infected. It restarts the mobile but also releases corrupted components that cause a reboot to fail, leaving the device unusable.
Pbstealer.D sends an infected user's contact list, notepad and calendar to-do list to other nearby users via Bluetooth. The third sends malicious programs such as the Pbstealer Trojan to other devices via Bluetooth.
Fortunately, the worms are unlikely to spread very far. "They don't spread quickly because they're not purely autonomous," said Ollie Whitehause, a researcher with Symantec. Unlike worms on computers, the Trojan horses hitting cell phones spread as attachments that require users to download them.
The PC worm, Nyxem, however, is spreading rapidly and carries a potentially destructive set of instructions. Also nicknamed the Kama Sutra worm, it is programmed to overwrite all of the files on computers it infects on 3 February, said Mikko Hypponen, chief research officer at F-Secure Corp.
F-Secure researchers found the worm truncates files to 20 bytes and causes an error message when one is opened, he said. "We are expecting to see problems in two weeks' time," Hypponen said.
The worm appears to be programmed to overwrite all files on the third day of every month, Hypponen said. So far, there's no indication where Nyxem originated.
While most anti-virus vendors have issued updates for their software, Nyxem is spreading quickly - possibly because it is taking advantage of computers that have already had their anti-virus software disabled by some other virus such as Bagle.
The worm harvests e-mail addresses and then sends itself out again. The e-mail subject line may contain text that says "Miss Lebanon 2006" or "School girl fantasies gone bad," according to Sophos.