Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
* Trojan-SMS.J2ME.RedBrowser.a
Characteristics -
The risk assessment of this threat has been updated to Low-Profiled as it represents a new Proof of Concept (POC) for premium-rate SMS fraud on a variety of mobile platforms.
--
J2ME/RedBrowser.a is a trojan horse program that pretends to access WAP web pages via SMS messages. In reality instead of retrieving WAP pages, it sends SMS messages to Premium Rate numbers thus costing the user more than intended.
Symptoms -
J2ME/RedBrowser.a arrives in a JAR file named “redbrowser.jar ”.
Upon startup the following text(translated from Russian) is displayed:
"Carefully read following description of RedBrowser program This program allows viewing WAP pages without GPRS connection.
RedBrowser connects to SMS server of your operator (MTS, BEELINE, MEGAFON).
Page is loaded by receiving encoded SMS. First 5Mb (650 SMS) of traffic are provided free of charge in test mode. ATTENTION!!! Program RedBrowser works ONLY on above mentioned cellular operators."
J2ME/RedBrowser.A currently is known to run on the following phones:
+
Nokia 6681
+ Sony-Ericsson W800i
+ Blackberry 8700c
Figure 1 - Logo displayed by Redbrowser.A on startup.
The user will be continually prompted to allow the sending of the SMS messages.
Figure 2 - The user is continually prompted to allow the SMS messages to be sent
Figure 3 - Redbrowser.a claims to download WAP pages via SMS.
SMS sending does not appear to function completely in the United States, we are currently assuming this is due to the numbers dialed being local to Russia.
J2ME/RedBrowser.a appears to have been written using the MIDletPascal programming tool.
The malware will not install on the P900 due to its use of a restricted API.
Method of Infection -
This malware requires that the user intentionally install it upon the device. As always, users should never install unknown or un-trusted software. This is especially true for illegal software, such as cracked applications—they are a favorite vector for malware infection.
Removal -
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Source
Reply With Quote
Bookmarks