English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Read us on

Home→Descriptions→Trojan-SMS.J2ME.RedBrowser.an

Trojan-SMS.J2ME.RedBrowser.an

Detected	Feb 14 2011 13:06 GMT
Released	Feb 14 2011 17:40 GMT
Published	May 18 2011 12:46 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan infects mobile phones that run Java (J2ME). The MIDlet sends SMS messages unauthorized by the user to premium rate numbers. It is a Java archive containing a set of Java classes. It is 8690 bytes in size.

Payload

The malware's functionality is implemented in the form of four Java classes contained in the files:

FW.class

(2664 bytes; it is the main MIDlet class)

M.class

(9178 bytes; detected by Kaspersky Anti-Virus as "Trojan-SMS.J2ME.RedBrowser.an"; contains the main MIDlet functionality; messages are sent using the "send" function implemented in the "SM" class)

RS.class

(1698 bytes; contains a set of functions that work with the Record Management System)

SM.class

(1945 bytes; contains functions that send SMS messages) The MIDlet is installed in the phone under the name:

mms

After launching, the Trojan displays the question:

If the user clicks "Exit", the Trojan will stop running. Otherwise, two SMS messages will be sent with the texts:

p:60 n:9235732018
p:60 n:9235732031

to the number:

84***473

Then the process imitates a download of an MMS message:

Then, to the number

84***473

a message is sent with the text

p:60 n:9235732016

Ïîñëå ýòîãî îòîáðàæàåòñÿ âîïðîñ:

If the user clicks "Again", an SMS message will be sent with the text

to the number:

8***64

and the aforementioned actions will be repeated again. A message is not sent in the event of a repeat launch of the Trojan within 24 hours. In this case, the following message is shown:

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

Delete the original Trojan file.
If this program was installed on a regular phone, the users can use standard tools to remove it.
If the program was installed on a Smartphone, then, besides standard removal tools, the users can use Kaspersky Mobile Security with updated antivirus databases (download a trial version) to remove the malicious file.

MD5: 1E86A0F0CBC5CD432F44A43E344F661F

SHA1: F6098768CAB0C84D4D0C68508401E5F344A181F1

Print

Share

Malicious programs

Trojans

Trojan-SMS

Programs of this type are used to send text messages from infected mobile devices to premium rate numbers that are hard code into the Trojan’s body.

Aliases

Trojan-SMS.J2ME.RedBrowser.an (Kaspersky Lab) is also known as:

Trojan.RedBrowser.5 (DrWeb)
Trojan-SMS (Ikarus)
Trojan.Redbrowser.A (NAV)
NseCheckFile2() returned 0x00010018 (Norman)
Riskware:Java/SmsSend.Gen!A [FSE] (FSecure)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com