This is a VBScript worm which uses MAPI to propagate to new host systems. The most suspicious function of this worm is that the email message will arrive from someone you know, formatted in fluent Spanish. Subscribers of Movistar.net Telephone E-mail may also receive a notification message by infected users. One additional note is this worm carries a destructive payload.

This worm will arrive via email as an attachment. If the attached file is run, it will write a copy of itself to the local system and then send itself via email to all users in the address book.

The email message will have the following format:

Subject = "TIMOFONICA"
Body = "Es de todos ya conocido el monopolio de Telefónica pero no tan conocido los métodos que utilizó para llegar hasta este punto."
"En el documento adjunto existen opiniones, pruebas y direcciones web con más información que demuestran irregularidades en compras de materiales, facturas sin proveedores, stock irreal, etc."
"También habla de las extorsiones y favoritismos a empresarios tanto nacionales como internacionales.
Explica también el por qué del fracaso en Holanda y qué hizo para adquirir el portal Lycos."
"En las direcciones web del documento existen temas relacionados para que echéis un vistazo a los comentarios, informes, documentos, etc."
"Como comprenderéis, esto es muy importante, y os ruego que reenviéis este correo a vuestros amigos y conocidos."
Attachment ="C:\TIMOFONICA.TXT.vbs"

The attachment of course contains an Internet worm.

Receipt or sending an email message as described below, registry modifications as mentioned below, file creations as mentioned below. If this worm is run on a system and that system is rebooted more than once, the dropped trojan file may remove bootable partitions from the system and corrupt the CMOS data. On an applicable system, the user may notice this detail at bootup:

CMOS Checksum Invalid
CMOS Time & Date Not Set
Press for Setup, to Boot

On a test system, the system date was reset to January 1, 1990 and the time was reset to midnight.

This worm checks the registry to verify if it has already infected the host.

First, this registry key is checked for a value of 1 - if not 1, then it performs several actions against the computer:

HKCU\Software\Microsoft\Windows\CurrentVersion\Timofonica

If the value is not 1, these actions are performed:

* Write a value of 1 to that key

* Write values to the following keys:

HKCU\Software\Microsoft\Office\9.0\Outlook\Preferences\SaveSent = 0

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Cmos=Cmos.com

* Writes itself as "C:\TIMOFONICA.TXT.vbs"

* Writes a text file for display as "C:\TIMOFONICA.TXT"

* Writes a .COM file in the Windows\system folder as "Cmos.com" which contains a CMOS corruption trojan and also will remove the partitions of the hard drive(s) on Windows restart - the machine is not usable if CMOS.COM is run and the system is rebooted

* Displays the political message contained within TIMOFONICA.TXT using NOTEPAD.EXE, the message is written in Spanish

* Modifies the registry to run the file CMOS.COM when running files of .VBS file type

* Creates an email message of the following format and sends to everyone in the Outlook address book:

Subject = "TIMOFONICA"
Body = "Es de todos ya conocido el monopolio de Telefónica pero no tan conocido los métodos que utilizó para llegar hasta este punto."
"En el documento adjunto existen opiniones, pruebas y direcciones web con más información que demuestran irregularidades en compras de materiales, facturas sin proveedores, stock irreal, etc."
"También habla de las extorsiones y favoritismos a empresarios tanto nacionales como internacionales.
Explica también el por qué del fracaso en Holanda y qué hizo para adquirir el portal Lycos."
"En las direcciones web del documento existen temas relacionados para que echéis un vistazo a los comentarios, informes, documentos, etc."
"Como comprenderéis, esto es muy importante, y os ruego que reenviéis este correo a vuestros amigos y conocidos."
Attachment ="C:\TIMOFONICA.TXT.vbs"

* Finally, sends a notification message to a telephone equipped with e-mail to a randomly generated email address - the email message is in this format:

Subject = "TIMOFONICA"
Body = " informa que: Telefónica te está engañando."

The recipient of this message may be a valid address but is in this format:

[random 3 digit #][random 6 digit #]"@correo.movistar.net"

The first random selection is a choice between these available #s:

"609","619","629","630","639","646","649","696"

The next random selection is a concatenation of six different pics of numbers between 1 and 10. For instance, a final email recipient may be chosen as "619987321@correo.movistar.net".

According to information available from Movistar.net services, "With MoviStar Mail, you will be able to send e-mails from your moving body. No longer do you need to contract an account of mail with a Supplier of Internet Services, you only need a MoviStar telephone to be able to send e-mails".