NEWS FROM THE LAB - April 2005


Friday, April 29, 2005

XP SP3? Posted by Mikko @ 13:36 GMT

Greetings from the launch happening of the National Data Security Day in Sweden.

Sweden is joining Ireland, Denmark, Finland and some other European countries in hosting a national day focusing on educating users about computer security. Title of the day in Sweden is "Surfa Lugnt".

The launch party was held today close the Kings Castle in downtown Stockholm. The launch was keynoted speaker was Steve Ballmer (CEO of Microsoft), Ulrica Messing (Swedish Minister for Communications), Per Hellqvist (Symantec) and me.

Steve Ballmer on stage

Mr. Ballmer made some interesting remarks: Microsoft might indeed ship SP3 for Windows XP before longhorn comes out. Also, upcoming version 7 of Internet Explorer should have anti-phishing technology built-in.

Signing off,

Mikko & Steve
Mikko & Steve


Thursday, April 28, 2005

BLUE7OO7H Posted by Mikko @ 13:54 GMT

Mr. Thierry Zoller from Luxembourg got in touch with us.

He writes:

  Dear F-Secure Viruslab,

  Thanks to your site I disinfected a phone in Luxemburg today (yes that's a country;)
  the person who owned the Mobile said infection occured in France. You
  can add it to your list of countries!
  He tried to disable Bluetooth but failed, he ran out of battery every
  few hours and had to constantly keep recharging his mobile, the local
  mobile phone company said to throw away the mobile and to buy a new
  phone. What a business approach!
  Thank you for the free disinfection tool, without it I
  would have had a lot of trouble to remove it.
  Thierry Zoller / TELINDUS PSF

Thank you Thierry for reporting the case.

In fact, that rounds up our list of countries with known cases of Cabir to 20:

Cabir countries animation

And while talking about Bluetooth worms, we have some interesting research going on. Jarno and Jusu spent yesterday in an underground bunker testing car Bluetooth systems against known Bluetooth worms and other Bluetooth attacks. However we're not allowed to publicly discuss the results yet so stay tuned.

Toyota Prius


Get your reverse engineering gear on! Posted by Mikko @ 08:21 GMT


F-Secure is proud to be supporting the geekiest annual data security conference in the Nordic countries: T2!

T2'05 will be held in Finland in September, with a keynote presentation from the infamous Fravia.

Now, the interesting part is here: T2 is organizing a reverse engineering competition, where the fastest one to solve a disassembly problem will win a free ticket to the conference. The prize is only available for residents living in Finland, but anybody is free to try the challenge.

Gergo and Jarkko from our viruslab created the challenge program, which is available for download from T2



Wednesday, April 27, 2005

Bagle history Posted by Mikko @ 09:14 GMT

Jason Gordon from has written a thorough three-part study on the history of the Bagle worm.

The study is available as PDF files: part 1, part 2 and part 3.

Bagle Business Functions

Yury Mashevsky from Kaspersky lab has also posted a good article on Bagle botnets.


Tuesday, April 26, 2005

Netscape vulnerabilities Posted by Ero @ 21:36 GMT

Secunia alerted today of a Highly Critical vulnerability confirmed in Netscape versions 7.2 and 6.2.3.

Netscape incorrectly handles GIF files, that could lead to a buffer overflow which is remotely exploitable through a specially generated GIF file.


Hackers infiltrate WLAN conference Posted by Jarno @ 13:47 GMT is reporting of rather interesting hacker attack that happened on WLAN IT conference in London on previous week.

Apparently the hackers created malicious WLAN hotspots with forged log-in web page, that tries to install malware on users computer that logs to the hotspot and tries to access web over it.

While technically this kind of attack is rather simple to accomplish, it raises worrying implications on use of free wireless hotspots. As business travellers frequently use whatever connection is available, and carry quite important data in their laptops.

The best way to protect yourself against such attack, is to have up to date operating system and browser, with Anti-Virus and firewall installed. Also it is important to have any critical connections done over VPN, and not to use unsecure connection for any service that requires user name and password.

So if you are using open WLAN connection, do not log in to any service that requires user name and password and does not use SSL. If you really need to use such service, use VPN connection to your company office and route the connection from there. Or use some proxy service that provides SSL such as Anonymizer


Be careful when searching the web Posted by Jusu @ 08:39 GMT

We have been investigating an interesting case about what happens if you happen to mistype One variation (www. googkle .com) leads to a site that will start a huge chain of webpages with exploits in various formats. HTML, CHM, JS, VBS, EXE, JAR you name it. As an end result the poor mistypist will have seriously malware and spyware infected computer. So keep your browsers up to date and practice on your touch typing.

You can read more about the case from our virus descriptions.


Thursday, April 21, 2005

Info on the new Symbian trojans. Posted by Jarno @ 21:47 GMT

symtee (13k image)

We received the sample set of the 52 files that were claimed to be new Symbian trojans.

And we confirm that, yes the files are malicious. After brief examination it seems that the trojans are variants of Skulls trojan, modifications based on Skulls.D.

The trojans in the set are very similar to each other, basically they have been created by inserting malicious SIS file into pirated copies downloaded from the net.

So even as there are large number of infected files, the actual number of new trojans is quite low. We estimate that after analysis the files will fall under 2-3 variant letters.

So what we have here is large collection of minor variants of same trojan, or collection of files that have been manually infected by a trojan. A thing that we have already seen on earlier skulls variants. But not on this scale.

And the good news is that the generic detection in F-Secure Mobile Anti-Virus is already capable of detecting all samples without any need for database updates.

None of the trojans in the set have been seen in the wild, and most likely will not get in the wild either. So the case is interesting from academical point of view, but not a real threat to the users.

We will do some statistics on the trojans, and add descriptions about the new variants early next week.
 vulnerability fixed Posted by Sami @ 14:47 GMT 1.1.4 and below suffer from a vulnerability that may allow execution of arbitary code in the context of the user when user opens an hostile document. The bug lies in the way how parses Microsoft's Word's DOC file structure.

This vulnerability is now fixed, and there is patches available from the project.

Further information is available from issue database.


About the new Symbian trojans discussed in web forums Posted by Jarno @ 12:09 GMT

For past two days there has been interesting discussions in web forums, about 52 new Symbian trojans being discovered. And now the count has changed to 71.

Currently we cannot yet confirm or deny the case, as we or any other major AV company have not received a any samples about the case. We are monitoring the case closely and so far have not found any samples in the wild.

So even as there are claims about huge number of mobile malware, they are not threat to normal users, as they are not in the wild. And even if they would be, the only way to be infected is to download software from illegal sites. Which one cannot do by accident.

And the huge number of new cases is rather clear indication, that someone is manufacturing them for fun, and has most likely created a program to generate the variants (or is really in need of something better to do with his time). So the actual number of variants may be surprisingly low, as AV companies group near identical samples under same variant letter.

We post more information about the case as we find out more about it.


Wednesday, April 20, 2005

Yet another Mitglieder Posted by Ero @ 20:03 GMT

We have seen a new Mitglieder seeded in large numbers. We added detection for the attached file and the dropped ones as W32/Mitglieder.CL


Tuesday, April 19, 2005

Dropper for Sober.n spotted Posted by Ceco @ 22:54 GMT

We have received several samples of a new trojan. When run, it drops and executes Sober.n and then displays an error message:

Microsoft Word for Windows/This WinWord Version is not installed on your System

This new trojan is detected as with database 2005-04-19_02 or newer.


Another Sober Posted by Mikko @ 20:46 GMT

Looks like there's yet another Sober going around, again sending emails along the lines that someone else has been receiving your emails in error.

   it's me, my old address don't work at time. i don't know why!
   in the last days i've got some mails. i' think thaz your mails, but im
   not sure!


New Sober variant is out there Posted by Mikko @ 05:32 GMT

New Sober variant has been seeded last night. Spreading speed is unknown at this time, but many previous Sober variants have been fairly big problems.

Once again, this variant send German messages to .de addresses and English messages anywhere else. The message claims that someone else has been receiving your emails in error and urges you to open up the attachment to see the emails in question. Don't.

Right now we detect this one as Email-Worm.Win32.VB.aj.



Sunday, April 17, 2005

New Exploits released for Mozilla and Firefox Posted by Mikko @ 19:15 GMT

FirefoxProof-of-concept exploits for the popular Mozilla and Firefox web browsers have been posted on public mailing lists. They target the following vulnerabilities:

- Code execution through favicons link
- Arbitrary code execution from Firefox sidebar panel

These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7.

We advice all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen on your computer just by surfing to the wrong site.


Saturday, April 16, 2005

More Mitglieders Posted by Katrin @ 19:19 GMT

Two more Mitglieder variants have been spammed today. We are up to Mitglieder.CJ and will publish detection shortly.

One more thing about Egypt Posted by Mikko @ 07:53 GMT

Right after my presentation on mobile viruses in Cairo, one of the local police officers approached me. He wanted to ask about suspicious activity on his Nokia 6600.
Interpol 6th International Conference on Cyber Crime
I had a look and - get this - his personal phone was infected with Cabir.B! So basically he was walking around the secure conference area with a live virus on his phone - and dozens of people from all over the world were constantly walking around him. Luckily Cabir is capable of spreading to only one phone per reboot.

We surfed to straight from his phone and cleaned the virus off with the free F-Cabir tool. This takes only a minute or so.

So the list of known infections by Cabir currently looks like this:

  1 Philippines
  2 Singapore
  3 UAE
  4 China
  5 India
  6 Finland
  7 Vietnam
  8 Turkey
  9 Russia
 10 UK
 11 Italy
 12 USA
 13 Japan
 14 Hong Kong
 15 France
 16 South Africa
 17 The Netherlands
 18 Egypt


Friday, April 15, 2005

Yet another new Mitglieder trojan Posted by Katrin @ 22:51 GMT

Yet another new Mitglieder trojan has been spammed. We are just about to publish update (2005-04-16_01) to detect it.

Greetings from Cairo Posted by Mikko @ 11:43 GMT


Interpol's 6th International Conference on Cyber Crime is currently underway in Cairo, Egypt.

The conference has 150 police officers from over 100 different countries discussing hacking, botnets, phishing, DDoS and other cool stuff...and how to catch the bad boys doing all this.

This morning me and Detective Inspector Paul Gillen from Ireland gave a presentation about modern telecom networks and about fraud and virus risks on cellular phone systems. Which was great.

From an outsiders point of view, Interpol operations seemed to be hindered with massive bureaucracy and constant need for interpreters. But internet is international, so we need the Interpol to police it.

Having an Interpol conference in Egypt also means security is tight...this is the first time I've ever been picked up from the airport by armed police officers and transported to the hotel in a police car!

Signing off,


New Bagle (updated) Posted by Jarkko @ 08:00 GMT

A new Bagle variant has been found. We detect it with latest updates (2005-04-15_01). The sample we got seems to be very similar to previous variants. It is currently under analysis, more information will be posted later.

Update: the sample appears to a variant of Mitglieder, trojan that is closely related to Bagle. It doesn't have replication mechanism of its own, so it was probably spammed out using some other proxy trojans or a new Bagle worm variant. However, we have not got any reports about this Bagle worm yet.


Thursday, April 14, 2005

Greetings from Lissabon Posted by Mikko @ 09:51 GMT

The Bluetooth Special Interest Group's annual All Hands Meeting is currently underway in sunny Portugal.

The topic for the meeting is "Securing the Future", and various security risks relating to Bluetooth have been discussed over the last days. These risks include things like Bluesnarfing, Bluebugging and of course various Bluetooth viruses. In fact many SIG members were surprised to learn there already are more than 20 known Bluetooth viruses.

Bluetooth SIG seems to be taking these risks seriously and is building better security into future specifications of the protocol. Default settings in various Bluetooth-enabled devices are also a key factor on how easy it is to execute such attacks.

Bluetooth SIG security panel

Security panel underway with Robin Heydon from CSR, Mikko Hypponen from F-Secure, Adam Laurie from Thebunker and Nick Hunn from Ezurio.

Signing off,


New symbian malware detected Posted by Jarno @ 08:05 GMT

hobbes_install_question (59k image)

This morning we received a sample of new Symbian malware which is called SymbOS/Hobbes.A.

It is a SIS based trojan that pretends to be Symantec Anti-Virus for Symbian phones. When the trojan is installed it shows dialog instructing user to reboot his phone, to activate the Anti-Virus. Of course the trojan contains no Anti-Virus just a component that disables the Phone application menu.

We have tested the trojan on different phones and it seems to affect only the old versions of Symbian Series 60 phones, such as NGage and 3650.

To our knowledge the trojan is not in the wild, but any user who happens to install it, should not reboot their phones. And uninstall the file with Application manager.

The SymbOS/Hobbes.A trojan is already detected with F-Secure Mobile Anti-Virus using generic detection introduced in database update 15 published in December 13th, 2004





Wednesday, April 13, 2005

Exploit released for an unpatched MS flaw Posted by Mika @ 08:21 GMT

Exploit code for a Microsoft Jet Database Engine vulnerability has been published. This vulnerability can be exploited to run arbitrary code if the user opens a crafted Access database file (".mdb"). It was not addressed by the Microsoft's April security patches released yesterday. For more information check this advisory from Secunia.

Note also that there already is a public proof-of-concept exploit for IE DHTML object memory corruption vulnerability described on MS05-20 from yesterday. You really should apply the patch immediately. Often within a few days of these proof-of-concepts appearing, we will start seeing malware that uses the same techniques.


Tuesday, April 12, 2005

Microsoft April's security updates Posted by Ero @ 22:06 GMT

April has brought us a good set of security updates, among them 5 rated as Critical and 3 as Important.

The following are rated as Critical:

MS05-019 addresses problems in the TCP/IP implementation in different Windows versions which might allow Remote Code Execution.

MS05-020 deals with vulnerabilities in Internet Explorer which allow an attacker to take control of the machine running the affected versions.

MS05-021 also allows Remote Code Execution, this time in Microsoft Exchange Server.

MS05-022, MSN Messenger was also found vulnerable and remotely exploitable, as well as Microsoft Word MS05-023

The following updates are rated as Important:

Two more updates addressing Remote Code Execution are MS05-016 for the Windows Shell, and MS05-017 for Message Queuing.

MS05-018 deals with Elevation Of Privilege issues in the Windows kernel.

For specific details on the vulnerabilities and the affected products and versions, please refer to the information in the links provided.


Rootkit wars? Posted by Mika @ 11:57 GMT

Our F-Secure BlackLight beta release has apparently gained a lot of attention among both users and rootkit authors. There is actually a lively debate going on about how to make rootkits that can hide from BlackLight. The discussion seems to be escalating and web sites have even been attacked. We are, needless to say, following the situation closely. Here's the story in brief.

In early April a spyware group posted an article on where they advertized their products and presented source code for evading detection from BlackLight. This technique involved avoiding processes that were named "blacklight". A maintainer of commented on the post, essentially saying that they thought the technique was rather unsophisticated. We have a previous weblog entry and a workaround on this same case.

On April 5th someone launched a DDoS attack on Few days later a similar attack was started against websites of the Hacker Defender rootkit, apparently after the author of this rootkit had commented the case. These sites are still down.

Paul Roberts has written an article on the incident. The article states that there is a connection between the posting on and the attacks. It further says that "the attacks are believed to be the work of a group of Bulgarian and Turkish hackers known as the SIS-Team".


Italian virus writer sentenced Posted by Mikko @ 04:18 GMT

Author of the Voltan e-mail virus has been sentenced in Italy yesterday. He got 14 months detention and 3000 Euros fine.

The virus writer got off fairly easily as he had a clean record, and he co-operated with the court. According to the court papers, he used the mass-mailer to install dialer programs which called toll numbers rerouting money back to the virus writer. Overall this generated 104.000 Euros for the virus writer before being caught. We assume he had to return this money.

More information from (in Italian, of course).

Thanks to Fabrizio Cassoni for the heads-up on this.


Monday, April 11, 2005

Want to work for us? Posted by Mikko @ 07:30 GMT

There's lots of activity on the mobile front so we're looking for new mobile phone virus researchers.

We need professionals with Symbian and/or PocketPC development experience with reverse engineering skills. Virus writers need not apply.

For details, see our Open Positions (look for "Mobile phone virus researcher").



Friday, April 8, 2005

Any 250 year olds out there? Posted by Mika @ 07:51 GMT

Adult sites have been using disclaimers and enter-buttons to "prevent" people under 18 from entering their site. Underground hacking sites are also adopting this practise. There is something different about these disclaimers, though. They commonly seem to prevent everyone from entering the site. Putting a site on the web and denying access to the content from everyone seems a bit illogical at first. Or what do you think of the following statement found on one site's disclaimer: "You must be at least 250 years old and own a pink car to enter this site."

pinkcar (33k image)

Pink car... checked. By the way, as you can see from the photo (taken by Micke), we barely have any snow left here in Helsinki but the sea is still partly frozen.


Thursday, April 7, 2005

Disinfection instructions for Fontal.A published. Posted by Jarno @ 07:53 GMT

The Fontal.A description now contains disinfection instructions both for disinfection by Anti-Virus and manually using third party file manager.

The disinfection was a lot easier than we originally thought it to be. Due to the fact that the trojan disables only the application manager. But the warning about not rebooting the phone still holds, as after trying to boot the phone it won't start, and neither of the instructions on the description will help after that.

So it seems that, as always, the most important instruction is "Don't panic"


Wednesday, April 6, 2005

New trojan that disables the phone so that it wont reboot Posted by Jarno @ 13:36 GMT

We've just added detection and description for a new Symbian Series 60 trojan that we named Fontal.A.

This is a SIS file trojan that installs a corrupted file which causes phone to fail at reboot. If user tries to reboot the infected phone, it will be permanently stuck on the reboot, and cannot be used before disinfecting.

The Fontal.A is a trojan, and as such it does not spread by itself, not over bluetooth or any other channel. Most likely way to user to get infected would be to get the file from IRC or Peer to Peer fileshare and install it to the phone. So to avoid Fontal and other trojans, download files only from legal sources.






Monday, April 4, 2005

Description of Mabir.A published Posted by Jarno @ 14:08 GMT

Detailed description of Mabir.A is now published.

Basically the Mabir.A is Cabir with added MMS functionality, both are written by the same author and have very similar code. So it seems that Mabir.A is based on Cabir source code.

The Mabir.A spreads using bluetooth using the same routine as early variants of Cabir, when Mabir.A activates it will search for the first bluetooth phone it finds, and start sending copies of itself to that phone. If the phone Mabir finds goes out of range, the Mabir.A still seems to be locked on that.

The MMS spreading function of Mabir.A uses a new social engineering technique. Instead of just reading all phone numbers from the local address book, the Mabir.A listens for any SMS or MMS messages that arrive to the phone. And when a message arrives, the Mabir sends itself as MMS message to the sending phone number. Thus posing as a reply to whatever message was sent to the infected phone.

The F-Secure Mobile Anti-Virus has now exact detection for the Mabir.A, and was able to detect it even before we got the sample using generic detection.





About Multimedia Messages Posted by Mikko @ 11:38 GMT

Now that there are three mobile viruses which try to spread over MMS messages, we've been getting questions on how global MMS functionality really is. Well, it seems to be pretty global and pretty compatible. I'm right now travelling in USA and have been succesfully sending MMS messages from my European phone to local phones and to back home. Last month we succesfully received MMS messages from Australia.

And that's the scary part of MMS viruses. Think about it: how many numbers do you have stored in your mobile phone? Dozens? Hundreds? In how many countries are they? If you would get infected and would send a malicious MMS to all those numbers, how many of the recipients would trust the message coming from you and open it? To how many countries would you spread the virus?

The latest MMS virus Mabir is written by the same virus writer who wrote the Cabir bluetooth worm. In a magazine interview he gave two weeks ago, he was quoted that he hopes to write another cellphone virus, as soon as he finds the time. Seems that he did.

Mabir has not been found in the wild. Lets hope it never makes it there.
Mabir strings


New Symbian worm detected SymbOS/Mabir Posted by Jarno @ 09:13 GMT

We have just received a new Symbian worm that spreads over bluetooth and possibly also over MMS.

The new worm is based on the same source code as original Cabir, but is different worm as it has MMS capabilities. So we named it SymbOS/Mabir.

The worm is still under analysis so no further details are available yet.

But the good news is that the F-Secure Mobile Anti-Virus is already capable of detecting it using generic detection, using databases published on March 18th, 2005.


Friday, April 1, 2005

Happier times Posted by Mikko @ 05:25 GMT

It's 1st of April today - the April Fools day.
In the good old days, we used to have lots of viruses activate on this date, showing various messages or playing pranks with the users.

Unfortunately we live in different times now. We haven't seen viruses like this for some time, as the #1 profile of a virus writer has changed from a hobbyist to a professional.

We don't expect to see any funny new viruses today. We expect to see the usual batch of bots, trojan downloaders, keyloggers, spam proxies and email worms.

Happy April Fools day.