On the 8th of October we published information about the new version of the Selfmite SMS worm we detected – Selfmite.b. We think that it is necessary to update our readers with a few additional facts and figures, to give some additional information and to correct some misconceptions.
1. At the moment we have now detected over 200 active infected devices all over the globe.
2. We’ve been monitoring the worm continuously and we haven’t tracked any changes in the setting.php file which contains all necessary data used by the Selfmite.b worm – including what URLs to include in the message to send to all contacts. In other words, these URLs pointing to a malicious file are the same as when this blog entry had been published. As we requested these URLs to be disabled, the worm cannot currently propagate any further unless the URLs change.
3. There’s no doubt that the first version of the Selfmite worm (Selfmite.a) had a limit for sending SMS. The SMS sending routine code is capable of sending malicious SMS messages to the first 20 contacts found in the address book of an infected device:
Selfmite.a SMS sending routine
4. There’s no doubt that the configuration file of the second version of Selfmite contains the following string as it was pointed out by other security companies:
But at the same time this parameter which might have been used for setting a limit to a number of SMS messages being sent from a single infected device is actually not used by the Selfmite.b worm. Here’s the SMS sending routine of the Selfmite worm which uses another 2 parameters from the setting.php file (SMS_TEMPLATE and SMS_OFFER):
Selfmite.b SMS sending routine
There is no equivalent usage of SMS_LIMIT in the code. So it’s not correct to say that this worm is less virulent than Selfmite.a, as this is based on a parameter that is not actually used. The current version (Selfmite.b) will send to all contacts if possible, regardless of what SMS_LIMIT is set to.
5. The second proof of the fact that a Selfmite.b infected device will generate a lot of SMS traffic is the number of SMS messages being sent. As we are active and blocking in several networks affected we can tell the infected devices we’ve seen have sent tens of thousands of SMS:
SMS traffic generated by Selfmite.b
Based on the code and what has happened in real-life we can confidently state that this version of Selfmite is more virulent and widespread.