Content

J2ME/Wesber

Type
Trojan
SubType
Discovery Date
09/13/2006
Length
Minimum DAT
4851 (09/13/2006)
Updated DAT
4852 (09/14/2006)
Minimum Engine
5.1.00
Description Added
09/13/2006
Description Modified
06/20/2007 12:26 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

J2ME/Wesber.A attempts to send SMS messages to Premium Rate SMS numbers.

Symptoms

J2ME/Wesber.A is distributed in a JAR file named "pomoshnik.jar". The word "pomoshnik", translated from Russian, means "Assistant".

Fig 1 – Text displayed during installation.

The malware does not display anything when it is run. J2ME/Wesber.A contains a large table of product numbers. The malware will randomly pick 5 numbers from this table. It uses the numbers as subjects of SMS messages it sends to the premium rate number 1717. The Premium Rate number belongs to a mobile game site based in Russia. Each SMS message costs $2.99.

Fig 2 – The user must authorize the sending of SMS messages.

On the devices tested, the user must explicitly give the malware permission to send the SMS messages.

J2ME/Wesber.A also includes the following two pictures within its JAR file that are not displayed to the user.

Fig 3 – "westberlin.jpg"

Fig 4 - "¦Т¦-¦-¦-¦-TПJPG"

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

J2ME/Wesber.A is a trojan horse program that pretends to be a an assistant program. Instead it sends 5 SMS messages to a Premium Rate SMS number.

Characteristics

Characteristics -

J2ME/Wesber.A attempts to send SMS messages to Premium Rate SMS numbers.

Symptoms

Symptoms -

J2ME/Wesber.A is distributed in a JAR file named "pomoshnik.jar". The word "pomoshnik", translated from Russian, means "Assistant".

Fig 1 – Text displayed during installation.

The malware does not display anything when it is run. J2ME/Wesber.A contains a large table of product numbers. The malware will randomly pick 5 numbers from this table. It uses the numbers as subjects of SMS messages it sends to the premium rate number 1717. The Premium Rate number belongs to a mobile game site based in Russia. Each SMS message costs $2.99.

Fig 2 – The user must authorize the sending of SMS messages.

On the devices tested, the user must explicitly give the malware permission to send the SMS messages.

J2ME/Wesber.A also includes the following two pictures within its JAR file that are not displayed to the user.

Fig 3 – "westberlin.jpg"

Fig 4 - "¦Т¦-¦-¦-¦-TПJPG"

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A