Virus Profile: J2ME/RedBrowser.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 2/27/2006
Date Added: 2/27/2006
Origin: Russia
Length: 54,482 Bytes
Type: Trojan
Subtype: PDA Device
DAT Required: 4707
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

J2ME/RedBrowser.a arrives in a JAR file named “redbrowser.jar ”.

Upon startup the following text(translated from Russian) is displayed:

"Carefully read following description of RedBrowser program This program allows viewing WAP pages without GPRS connection.

RedBrowser connects to SMS server of your operator (MTS, BEELINE, MEGAFON).

Page is loaded by receiving encoded SMS. First 5Mb (650 SMS) of traffic are provided free of charge in test mode. ATTENTION!!! Program RedBrowser works ONLY on above mentioned cellular operators."

J2ME/RedBrowser.A currently is known to run on the following phones:

      • Nokia 6681
      • Sony-Ericsson W800i
      • Blackberry 8700c

Figure 1 - Logo displayed by Redbrowser.A on startup.


The user will be continually prompted to allow the sending of the SMS messages. 

Figure 2 - The user is continually prompted to allow the SMS messages to be sent

Figure 3 - Redbrowser.a claims to download WAP pages via SMS.

SMS sending does not appear to function completely in the United States, we are currently assuming this is due to the numbers dialed being local to Russia.

J2ME/RedBrowser.a appears to have been written using the MIDletPascal programming tool.

The malware will not install on the P900 due to its use of a restricted API.

Methods of Infection

This malware requires that the user intentionally install it upon the device.  As always, users should never install unknown or un-trusted software.  This is especially true for illegal software, such as cracked applications—they are a favorite vector for malware infection.

Aliases

Trojan-SMS.J2ME.RedBrowser.a (Kaspersky)
   

Virus Characteristics

-- Update Feb. 27, 2006 --
The risk assessment of this threat has been updated to Low-Profiled as it represents a new Proof of Concept (POC) for premium-rate SMS fraud on a variety of mobile platforms. 
--

J2ME/RedBrowser.a is a trojan horse program that pretends to access WAP web pages via SMS messages.  In reality instead of retrieving WAP pages, it sends SMS messages to Premium Rate numbers thus costing the user more than intended.

   
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95