Moblie Virus Descriptions

8/9/2019 Moblie Virus Descriptions

http://slidepdf.com/reader/full/moblie-virus-descriptions 1/49

List of application names the viruses disguise themselves as:

VIRUS - FILENAME:

Cabir.A - caribe.sis

Cabir.B - caribe.sis/Norton Antivirus 2004 Professional.sisCabir.C - ni&ai-.sis/mytiti.sis/Norton Antivirus 2004 Professional.sisCabir.D - mytiti.sis/Norton Antivirus 2004 Professional.sisCabir.E - [YUAN].sisCabir.F - Skulls.sisCabir.G - Tee222.sisCabir.H - velasco.sisCabir.I -Cabir.J -Cabir.K -Cabir.L - skulls.sis

Cabir.M - free$8.sisCabir.N - -SEXY-.sisCabir.O - mobile.sisCabir.P - 22207-.sisCabir.Q - Crazy!.sisCabir.S - guan4u.sisCabir.T - iLoveU.sisCabir.U - SEXXXY.sisCabir.V - GAVNOR.SISCabir.Y - symTEE.SIS

CabirDropper.A -

Skulls.A - extended theme.sis/extended theme managre.sisSkulls.B - camtimer.sis/icons.sisSkulls.C - T2 RS3AS.sis/skull.sisSkulls.D - Flash_1[1].1_Full_DotSiS.sis/Macromedia_Flash_1.1_Full_DotSiS.sisSkulls.E - Mariya.sis/ThNdRbRd !.sisSkulls.F - Impro.sis/Simworks.sis/WMAcodec.sisSkulls.G - CALVIN SAMPLE VIRUS.SISSkulls.H - NokiaGuard.sis/ScreenSaver.sisSkulls.I -Skulls.J -Skulls.K -Skulls.L - F-secure_Antivirus_OS7.sisSkulls.M - X-Ray Full byDotSis.SIS

MGDropper.A - SEXXXY.sis/metal_gear.sisMGDropper.B - MetalGear_by_scar69.sis



MetalGear.A -

Lasco.A - velasco.sis/EGBoy a925.sis

Locknut.A - patch.sis

Locknut.B - MMFpatch.sisLocknut.C -Locknut.D -Locknut.E -Locknut.F -

Mosquit.A/QDail26.A - Mosquitos Cracked by Soddom.sis/Mosquitos Cracked bySoddom V2.0.sis

Dampig.A - Fscaller3.2Crack7610.sis/vir.sis

Commwarrior.A - 9i1sv8ek.sis/pm85q_bx.sis/pm85q_bx.sis/22qrly9gl.sis/t5or921.sis or com.sisCommwarrior.B - COMMWARRIOR.ZIP

Drever.A - Antivirus.sisDrever.B - Simworks_update.zipDrever.C - New_bases_and_crack_for_antiviruses.sisDrever.D -

Hobbes.A - Symantec.SIS

Mabir.A - info.sis/cabir.sis

Fontal.A - Kill Saddam By OID500.sisFontal.B - Nokia Anti-Virus.sis

Appdisabler.A -Appdisabler.B -

The new 52 trojans infected filenames:

3D_miniGolf[1].1.01Crack.sis6630-SnapShot2[1].03.sis6630-VideoEditor210.sisAuto Pilot3[1].01full.sisBig-2 by__dotSiS.sisBitStorm_full1[1].0-XiMpda.sisBlocks_FullCrack.sis bluster III Full.sisBounceMP3_[1]NEW.sis



BugMe1[1].23_Full_Dotsis.siscallcheater3[1].01-XiMpda.sisChinese Star1[1].01Crack.sisControlFreak2[1].0_Full.sisCosmicFighter3[1].0.sis

CosmicFighter_Crack.sisDigital Red Bowling.sisDVD-to-NOKIA-6670.sisDVDPlayer2[1].01_FullCrack.sisFaceWave5[1].0_dotSiS.sisFlashLite[1].v1.1fullcrack.sisFreeCall_1[1].01-XiMpda.sisFscaller5[1].01_Full_dotSiS.sisFunny Drawer2[1].00_Full.sisgina-v1[1].1fullcrack.sisHeliAttac101_Full_dotSiS.sis

ImagePlus2[1].15_Full.sisMahjong2[1].34.sisMahjong301_Full_QmzXiz.sismatefinder_1[1].01-XiMpda.sisMessageStorer_CRACK.sisMotoRacer_Full.sisMumsms4[1].01_XimPDA.sis pocketdictionary_V1.sisPowerGprs_3[1].01-dotSis.sisQuicksheet_cracked_S60.sisRubiksCube1[1].19Crack.sisSmart Movie263 S60[6630].sisSmartLauncher2[1].06s70.sisSmartLauncher2[2].06s70.sisSnowboard_FullCrack.sisSony_Camcoder Pro_S60.sisSplashID_4[1].13_S60.sisSuper Anti Virus 1[1].0 .sisSuperMario3_FullCrack.sisSuperMovie1[1].0_dotSiS.sisSuperMP31[1].0_dotSiS.sissupperNes_1[1].0_Beta_dotSiS.sisvBoy[1].v2.0.S60.oWnPDA.sisVNes[1].v2.0-XiMpda.sisXCaller_FullCrack.sisYellow_YFtpC_2[1].33_SymTEE.sisZipMan_full2[1].0-XiMpda.sis



PHONE BOOK STEALER

Description:

This type of mobile virus is very interesting that it'll steal user phonebook data and then it

will compile it into a text file and sent it through bluetooth without user confirmation.

So far, this is the first Symbian Virus that I've seen that it will steal user data withoutuser confirmation and sent thorogh other bluetooth supported devices.

Affected Platforms:

Tested on:

· Nokia 6680· Nokia 3660

Affected:

· Nokia 6680

Analysis/Observation:

This trojan was distributed in an application file and it is spreading in pbexplorer.SIS.

Symptoms:

When user try to install this suspicious *.SIS file, the image shown below is screenshoottaken during installation process:

After installation complete, the application has set to run automatically and will displaythe following text:



________________ | Phone Book || Compacting || by: lajel 202u || |

| please wait... ||________________|

________________________ | Compacting || your contact(s),step 2 || || Please wait again || until done... ||________________________|

After the malicious process done, it will pop out a message:

"Done!!!"

If user press [OK] the malicious program will ended itself and after some times,it will start searching for bluetooth devices and sent all phonebook information intext file via bluetooth.

Prevention:

This malware requires that the user intentionally install them upon the device. As always,users should never install third party application from unknown site.

How to uninstall:

By using latest version of CalvinStinger© Symbian Viruses Disinfection Tool.



SYMBIAN TROJAN--Mabtal.A

Profimail v2.75_FULL.SIS/SymbOS Mabtal.A is a SIS file malware that pretends to be acracked version of Profimail which is a very popular E-Mailing third party application inSymbian Platform, in fact, it is a malware which drops Mabir.A, Caribe and Fontal

variants into the phone system, besides, it also drops some corrupted binaries file whichcausing the phone auto-restart and showing fatal error message. Next the phone will failto boot-up permanently.

Suspicious file tested using the following handsets:

NOKIA 3660 (Symbian OS 6.1) NOKIA 6680 (Symbian OS 8.0)

Positive analysis results:

While tested using the above handsets, both platform was affected. When user tries toinstall the suspicious file into his phone, it will look like the below image:

While installing the suspicious file, it will show a message as shown below:

This suspicious file automatically installed all files into the phone memory. Cabir viruswill start spreading via bluetooth and keeps listening if any incoming message arrives inthe phone, when any SMS/MMS message arrives in the phone, mabir.A virus willimmediately sent itself out via MMS for spreading purpose.



When user tries to access the Profimail and ProfiExplorer third party application, it maydisplay an error message as shown below:

After it has successfully restart, due to the corrupted fonts, the device can't boot up permanently.

By using the hash-number-matching method, the following files was proved to be amalware files while analyzing work is in progress:

11x12 euro_fonts.gdr detected as SymbOS.Fontal.ACARIBE0.APP detected as SymbOS.Mabir.ACARIBE0.RSC detected as SymbOS.Cabir flo0.mdl detected as SymbOS.Mabir.Aflo.mdl detected as SymbOS.Mabir.Acaribe.app detected as SymbOS.Mabir.Acaribe.rsc detected as SymbOS.Cabir Appinst.app detected as SymbOS.Cabir.U2

Appinst.aif detected as SymbOS.Cabir.U2

This malware doesn't come with any valid digital certificate but it can replicate itself via bluetooth or MMS(Mabir.A) and it will cause severe damage to Symbian OS 6.1handsets!



SplinterCell-ChaosTheory_S60_cracked-XiMPDA.SIS OR SymbOS/Skudoo.A

This is a Series 60 trojan that installs skulls trojan, MGdropper, Commwarrior,Doomboot.A and cabir into the targeted device. When this trojan executed, most of application in the phone being replaced by a non-functional or corrupted files by the

trojan into the phone, causing application can't run as usual. It fails to attack NOKIA6680 while the phone has been restarted. Anyway, McAfee AVERT mentioned that thistrojan will cause the phone fail to reboot on the next restart by the user.

It is also the first mobile trojan in the world which capable propagates MGDropper virusand Commwarrior virus vice-versa.

It contains also the image as shown below while I have extracted the *.SIS file:



Some of the blank icon that the trojan drops actually is coded to auto restart the phone,when the phone has been restarted, the menu function of the phone can't no longer befunction and thus this totally lock the whole phone.

When user tries to installs the trojan into the phone, the symptoms are as shown below:

While installing the suspicious file into the phone, it will pop up a message as shown below:





Skulls.CB [McAfee]

This virus claims to be a third party application but in fact, it is a trojan which dropsseveral non-functional system file and corrupted fonts into the phone system, causing puzzle-like and blank icon shown in the phone.

User should take alert about this suspicious file when the following symptoms as shownin the image below:

When user try to install it into the phone:

Such message popping out in the installation process:

The phone will look like this:



Never click on the blank icon as it would automatically restart the phone which causingthe phone fail to reboot next time due to malware attacks.

This malware spreading in Fontal.C.sis



Blankfont.A

Blankfont.A is a SIS file trojan that installs corrupted Font file into infected device. Thecorrupted font does not cause device to crash, but if the device is rebooted it will lose thesystem font, and is unable to display user interface texts.

If a phone is infected with Blankfont.A, it must not be rebooted as the trojan will corruptsystem font and make disinfection quite difficult. If the phone is rebooted it can still be

disinfected but, doing so is rather difficult as there is no text on the screen.

Spreading in Rally_2.sis



Symbian– Skudoo.C/Skudoo.D

Description:

Symbian/Skudoo.C-D are Skulls variants with parts of Doomboot. Variant C also drops

Commwarior.B. Variant D drops MGDropper. They appear to be repackaged collectionsof recent malware.

Affected Platforms:

Tested on:

· Nokia 6600

Affected:

· Nokia 6600

Payload

The Skulls and MGDropper files will disable native system applications and some third- party applications. The dropping of Doomboot will cause the device to be unable toreboot, therefore, once the device has been restarted the impact of the Skulls andMGDropper files is no longer an issue. The CommWarrior that is dropped by Skudoo.Cwill spread.

Figure 1 Desktop screen of Skudoo.C



Analysis/Observation

Both variants have filenames implying that they are pirated versions ofvideo games.Variant C claims to be a cracked version of Need for Speed1. Variant D claims to be

“Carmageddon_3D_s60_BETA.sis”.

Prevention

Both variants require that the user intentionally install them upon the device. As always,users should never install unknown or un-trusted software. This is especially true for illegal software, such as cracked applications—they are a favorite vector for malwareinfection.

How to uninstall

If the device has been rebooted then a hard-reset must be performed for recovery.

For Skudoo.D, as all malicious files are installed the external phone card, removing thecard will restore full use of the phone.



Symbian –Skudoo.E-F

Description:

Symbian/Skudoo.E-F are Skulls variants with parts of Doomboot and BlankFont.Variant

E also drops Commwarior.B. They appear to be repackaged collections of recentmalware.

AffectedPlatforms:

Tested on:


Affected:


Payload:

The Skulls files will disable native system applications and some third-party applications.The dropping of Doomboot and BlankFont will cause the device to beunable to reboot,therefore, once the device has been restarted the impact of theSkulls files is no longer anissue. The CommWarrior that is dropped by Symbian/Skudoo.E will spread.

Figure 1 Virus.jpg dropped by Skudoo.F


Symbian/Skudoo.E is distributed in a sis file named “pop corn.sis”. Variant F isdistributed in a sis file named “Rally 3.sis”.



Prevention:

Symbian/Skudoo.E requires that the user intentionally install them upon the device. Asalways, users should never install unknown or un-trusted software. This is especially truefor illegal software, such as cracked applications—they are a favorite vector for malware

infection.

How to uninstall:

If the device has been rebooted then a hard-reset must be performed for recovery.



SymbOS\Commwarrior.C

Description:

SymbOS\Commwarrior.C contains Commwarrior.B worm and seems to packed together

with a cracked application and named itself as Speed Overclock v3-1.41.SIS. Besides, italso contains Fontal.A trojan.

Affected Platforms:

Tested on:

· Nokia 6680

Affected:

· Nokia 6680

Payload:

Theoretically, the dropping of Fontal.A trojan will cause the device to unable to reboot,anyway, there is some 'technical error' in this file causing the phone successfully rebooteven if the phone has been restarted. The commwarrior also fail to exucutes in theanalysis process. No harm was observed in the analysis process.

This trojan will drops the following files:

C:\CommWarrior.A.sis

C:\Speed Overclock v3.41.sis

C:\Your Welcome.gif

C:\Fonts\Yeah Im in da house!!.gdr


This trojan was distributed in a Series 60 third party appplication file and it is spreadingin Speed Overclock v3-1.41.SIS.

Image drop by this trojan after installation:



Symtomps:

When user try to install this suspicious theme file, the image below shown are

screenshoot taken during installation process:

Prevention:

Commwarrior.C requires that the user intentionally install them upon the device. Asalways, users should never install third party application from unknown site. Anyway,this trojan is spreading in some of the site which contains Series 60 THEME file.

How to uninstall:

Go to application manager and unistall Speed Overclock v3-1.41.SIS



· SymbOS/CardBlock.A (F-SECURE)

Description:

SymbOS/CardBlock.A contains none of the previously found trojan but this trojan

capable deleting the phone system data file and it will block the memory card from beingaccessed.

Affected Platforms:

Tested on:

· Nokia 6680. Nokia 3660

Affected:

Nokia 6680 ONLY


This trojan was distributed in an application file and it is spreading ininstantsis.v2.1.cracked.by.binzpda.SIS.

Symptoms:

When user try to install this suspicious file, the image below shown is the screenshoottaken during installation process:

SymbOS/CardBlock.A claims to be a Series 60 third party application. Upon installationan agreement will be shown and ask user if he or she agree with those terms listed and proceed to the next step to finalize the installation process.

After installation completed, the application icon will be shown in the phone as shown



below:

Method of Infection

This trojan will executes itself only while user try to access them.

While user try to access the suspicious application, it will looks like the image below:

While user try to access the options panel and proceed to "Send>Via Bluetooth", thetrojan will start to executes itself and the phone will started to hang and lagging and thememory card will locked by it with random password code.

It will generates different password to locked up the media card. Further info will beconfirmed by Anti-Virus firm. I personally have sacrified my 64MB DV-RS-MMC for

testing this trojan and it prove to me that it is capable locking the memory card. Luckilymine is ZITRON set, no worries for me.

While one of the component file being disassembled, the following strings was observedthat will delete the phone system data:

C:\system\installC:\system\data



C:\system\libsC:\system\mailC:\system\bootdata

After those file was damaged and it will prevents the phone from starting up after the

phone is rebooted and shows the following error messages:

'Phone startup failed, contact the retailer. '

Prevention:

SymbOS/CardLock.A requires that the user intentionally install them upon the device. Asalways, users should never install third party application from unknown site. According

to the security expert that I met him, this trojan is really spreading widely in WAREZsite, please take alert about it!

How to uninstall:

If the phone has been rebooted, hard reset method must be apply to the phone and password protected memory card can be formatted in NOKIA 9210 only, else, user mayadvise to take back to the retailer to be sent back to the factory.



SymbOS DoomBoot.D

Description:

SymbOS DoomBoot.D contains corrupted font file that extracted from Fontal.A and

seems to packed together with a theme file and named itself as Angelina JoulieTheme(Universal Theme).SIS

Affected Platforms:

Tested on:


Affected:


Payload:

Theoretically, the dropping of Fontal.A trojan will cause the device to unable to reboot,anyway, the creator installed into the wrong directory causing the phone successfullyreboot even if the phone has been restarted. No harm was observed during my testing process.

This trojan will drops the following files:

!:\ETel.dll

!:\Your Welcome.gif

!:\Fonts\Yeah Im in da house!!.gdr

!:\system\skins\616E676C\ThemesE.mbm

!:\system\skins\616E676C\ThemesE.skn


This trojan was distributed in a theme file and it is spreading in Angelina JoulieTheme(Universal Theme).SIS. The theme will look like the image below:




Symtomps:

When user try to install this suspicious theme file, the above image shown arescreenshoot taken during installation process:



Prevention:

DoomBoot.D requires that the user intentionally install them upon the device. As always,users should never install third party application from unknown site. Anyway, this trojan

is spreading in some of the site which contains Series 60 THEME file.

How to uninstall:

Go to application manager and unistall Angelina Joulie Theme(Universal Theme).SIS

F-SECURE information about this malware is wrong. There is no harm to the phone inmy analysis process, anyway, I will report it to them.





This trojan was distributed in a theme file and it is spreading in Jennifer Lopez Theme++ by Dj Hardcore.SIS. The theme will look like the image below:


Symtomps:

When user try to install this suspicious theme file, the image below shown arescreenshoot taken during installation process:

http://www.dotsis.com/mobile_phone/showthread.php?t=35335&page=2&highlight=viruses




Prevention:

DoomBoot.E requires that the user intentionally install them upon the device. As always,users should never install third party application from unknown site. Anyway, this trojan

is spreading in some of the site which contains Series 60 THEME file.

How to uninstall:

Go to application manager and unistall Jennifer Lopez Theme++ by Dj Hardcore.SIS



The Fake Calvin Stinger

Recently there is a fella from Indonesia who had created a large amount mobilemalwares and its malicious act is just same as Cardtrap family, that is, malwarespreading from Phone to PC.

It's notice that, Steven(The malware creator) stuff doesn't has big change, most of them is just a repack stuff that using "skull" technique to replace functional file into non-functional file. The main difference that taking Anti-Virus firm attention is, most of hisnew stuff contain a new batch file that assigned to executes its malicious act.

Steven is trying to fool those innocent user using "CALVIN STINGER Anti Virus 2.0"name in his batch file which is trying to delete important system file in C drive andcausing the computer fail to reboot next time.

Well, Steven stuff is very lame and grandpa style which our "Grandpa Hacker" used

those DOS command to attack the computer system at a very early time. Shame on him because he doesn't realize that his batch file is quite kiddie script which bring "Jokes andHumour" to our Anti-Virus firm.

Affected Platforms:

Tested on:


Affected:



This trojan was distributed in an application file and it is spreading in BattleField 2 -GAMELOFT.SIS.

Symtomps:


Payload

Payload disables a large amount of third party application and also some ROMapplication which this malware trying to overwrite the ROM file and also replacing







functional file into non-functional file.

Method of Infection in PC

Tested Platform: Window XP SP2

User should be aware of those *.exe files which drop by this malware into the media

card. The author is trying to installed those *.exe file which contains a malicious batchfile that trying to delete important system file in C drive.

While user trying to executes the *.exe file, it will trigger the batch file running and aCommand Window will pop out and claims itself as "CALVIN STINGER AntiVirus2.0"

If user press any key to continue, it will delete those important data file in the C drivewhich causing the computer fail to reboot next time.

After deleting those important data files, it will show a message

Prevention:


Well, CalvinStinger is only release once and does not has any updated version yet. User should be aware of downloading CalvinStinger in an unknown site because it might be aFAKE one or its contains any malicious act.

User should be reminded that ORIGINAL CalvinStinger for Symbian OS phone ONLYcan be safely downloaded at SF and SX.

McAfee anti-virus has added detection on this "kiddie stuff" and it will be detected asBat/Kads.dr. The same goes to other anti-virus vendor too, please update your anti-virusdefination to ensure you're protected from this malware although it's a Grandpa old timemalware.

How to uninstall:

McAfee Virus Scan, TrendMicro Anti-Virus, Symantec Mobile Security, F-SecureAnti-Virus should able to detect it provided your anti-virus software must have the latestdefination of this malware which will available in the next few days.














Commwarrior.D

Basically, this malware malicious act is just same as the previous variant--Commwarrior.B, just that it has been edited by someone and the main difference is thatwhen it used to spread itself via MMS, the text messages are all in Spanish language such

that:

/abcdefghijklmnopqrstuvwxyz01234567890_ A mi novia LessAMD!!!Universidad de Madrid y Valencia.Antena 3 y Telecinco...application/vnd.symbian.installapplication/vnd.symbian.installAyudanos contra la drogadiccion, colabora ACDV 1 Euro.Cari!!Carod eres un cabron, Capullo!. Politonos de Neng !!. Follatela!Mis Albumes

Carod Rovira HPuta!Coleccion de mis fotoalbum fallas 2006!!!Comela!Conseguir eso.. Maldito Sea!Descarga nuevos sonitonos aqui!Diapositiva PowerPoint ensymbian.comDluxe!!Felicidades!!!! Tienes una postal aki!Feliz Cumple!!!Fernando Alonso te envia una invitacion!Sr ArgandaHay que pagar para respirar y mear Llamame cuando veasManda tu curriculum a esta direcciony llamaran!Mario y yo nos casamos en 2 meses!!.Me he cambiado la direccion de email, estaMe he cambiado..Mi e-mail es esteMi Exnovia!Mi foto erotic@Mierda Estatut!!MorenaMovistar!Mp3 Player para Nokia series 60. Instalalo yaa! Nuevas Tiendas! Nuevo Virus THX para los Nokia s60s. InstalaOrgullo GayPolitono Popcorn anuncio renault clioPoltiTonos paramoviles,descarga ya!Problema de bateria en Nokia!Quedamos a tomar algo?





Quieres ReirteSe busca genteSolo trabajemos 6 horas diarias .....!Sonitonos NokiaTodos vendemos. Gracias Carod!

Valencia,ciudad de Campeones. Viva el VCF!Solo Nokia.Viva las fallas de Valencia, mascletas onlineVodafone y Amenase fusionan. Compra un Nokia.comVodafone, Informacion gratuita en MMS..... Informa

Should you have any problem regarding this malware, current CalvinStinger should ableto fix it.



SymbOS\Commwarrior.E

Description:

Commwarrior.E is a variant of family "Commwarrior". It claims itself as a GPRSsettingsutilities which in fact, it's a malicious application that trying to fool the user to proceed to

the installation step and causing malicious infection to the phone or the media card.

This malicious application is trying to replicates itself over bluetooth network and alsoMMS network and I've working on 1 hour to observed its replication method, in the firsthour, it will replicates itself via Bluetooth network at a rate of 1 malicious file per 5minutes, causing the phone battery drains faster abnormally. Around midnight 12 a.m.,this malicious application will stop replicates itself via bluetooth network but it willreplicates itself via MMS network.

This spreading technique is quite effective as you can see it's working in "invisible background", causing normal user didn't aware them until they notice they get a "high

billed" amount of MMS charges.

The main difference of this variant with the previous variant is, it will generates differentcodes and replicates itself via another bluetooth device, while installing, the image belowshown is a screenshoot taken in another phone which the user has authorised the infecteddevice to send the suspicious file.

Affected Platforms:

Tested on:


Affected:







This trojan was distributed in an application file and it is spreading inCommwarrior.E.SIS or GprsSettings.SIS .

Symptoms:


Method of Infection

It will replicates itself via bluetooth network and also MMS network that it will randomly

pick up the contacts details in user's phonebook and send itself to the selected victim.

It has a unique feature that similar with Commwarrior.C, that is, it will protect itself although user has deleted the malicious directory.

The above text show the messages that used by this malicious application to spread itself via MMS network:

Subject: Llamame cuando veasMessage: Problema de bateria en Nokia!

Subject: Mira!!Message: Ole!!!Universidad de Madrid y Valencia.

Subject: Nuevas Tiendas!Message: Hay que pagar para respirar y mear

Subject: Movistar!Message: Fernando Alonso te envia una invitacion! Sr Gonzalo



Subject: Norton AntiVirus

Message: Instalacion paramoviles,instalar ya!

Subject: Paulina

Message: Nuevo Antivirus para los Nokia s60s. Instala

Subject: Quieres ReirteMessage: Todos vendemos.Gracias Maria!

Subject: DeejayMessage: Conseguir eso..Maldito Sea!

Subject: Amor Libre!Message: Descarga nuevos sonitonos aqui!

Subject: AmorVirtualMessage: Mp3 Player paraNokia series 60. Instalalo yaa!

Subject: Mi tema eroticoMessage: Coleccion de mis fotoalbum fallas 2006!!!

Subject: Quedamos a tomar algo?Message: Viva las fallas de Valencia, mascletas online

Subject: Ayudanos moMessage: vilforum,todo sobre movilesy demas......com

Subject: Me he cambiado..Message: Me he cambiado la direccionde email, esta

Subject: HP-CITYMessage: Veroo eres un zorron, guarrita. Instalalo si eres tu. Instala!

Subject: Mis AlbumesMessage: Maria! Traeme las bragas de tu madre!!!!! Solo Nokia.

Subject: Sonitonos NokiaMessage: Politono Popcorn anuncio renault clio

Subject: Telefonica Anuncia.Message: Vodafone y Amenase fusionan. Compra un PpPpc.com

Subject: A mi novia XXXXMessage: Solo trabajemos 6 horas diarias .....!






Subject: Se busca genteMessage: Antena 3 y Telecincoven

Subject: Antena 3 y T elecinco...Message: Diapositiva PowerPoint ensymbian.com

Subject: Mi e-mail es esteMessage: Jorge y yo nos casamos e n 2 meses!!.

Subject: Feliz Cumple!!!Message: Felicidades!!!! Tienes una postal aki!

Subject: Amor Libre!Message: Descarga nuevos sonitonos aqui!

Subject: AmorVirtual

Message: Mp3 Player paraNokia series 60. Instalalo yaa!

Subject: Mi tema eroticoMessage: Coleccion de mis fotoalbum fallas 2006!!!

Subject: Quedamos a tomar algo?Message: Viva las fallas de Valencia, mascletas online

Subject: Ayudanos moMessage: vilforum,todo sobre movilesy demas......com

Prevention:


How to uninstall:

CalvinStinger v1.2 will able to remove this malware which will be available soon atSymbianX.



SymbOS\Multidropper.AS[McAfee]

Other aliases: SymbOS\CardTrap.AB[F-SECURE]

Description:

A new multidropper variant has been found again today! It claims itself as Symantec

Anti-Virus product which in fact, it's a malicious application that trying to fool the user to proceed to the installation step and causing malicious infection on both the phone and thecomputer.

This malicious application contains Skulls trojan, a New W32 malware which while user trying to launch them, a malicious act will be performed and causing harm to thecomputer. Also, McAfee Generic Detection has shown that a suspicious ZIP file thatmight be a W32/Mytob@MM variants also bundle together with this maliciousapplication.

However, those W32 malware could only activates itself if only user trying to launchthem. This happens when user trying to read their media card or synchronize with thecomputer and accidentally launch the malicious file.

This author has designed various "colourful" icon which trying to fool the user to lauchthem by using Symantec Anti-Virus logo and also Google icon.

Affected Platforms:

Tested on:


Affected:













This trojan was distributed in an application file and it is spreading in SymantecResponse Team.SIS.

Symptoms:


This malware is trying to show a fake message that contains Symantec official website

and trying to fool the user to restart the phone which will then activating skulls trojanattack!

This malware also containing the image shown below:

Prevention:


How to uninstall:






McAfee Virus Scan, TrendMicro Anti-Virus, Symantec Mobile Security, F-SecureAnti-Virus should able to detect it provided your anti-virus software must have the latestdefination (Both computer and phone) of this malware which will available in the nextfew days.






Da Vinci virus hits mobile phones!

IPB Image

It’s been confirmed — The Da Vinci Code is bad for you. The virus, that is. A computer bug bearing the controversial film’s name has affected dozens of mobile phones andlaptops in the city.

The virus, which spreads via wireless Bluetooth technology, causes a message to pop upon Bluetooth devices: ‘Receive message via Bluetooth from Da Vinci Code?’ Once acurious mobile phone user accepts the message, the virus enters the system and destroysthe phone’s data.

A picture depicting an eye and a cross appears on the desktop and phone’s gallery.

System crash

Mridul Sharma (32), an operations manager at an event management firm, received thevirus during a corporate presentation a few days ago. “The Da Vinci Code name actuallyexcited me. I assumed the file was either an MMS clipping or a still and accepted it.

My entire system collapsed and data was deleted. I had just bought my Nokia N91handset worth Rs 31,000 and had to pay Rs 1,500 to format my mobile hard disk andreload the software,” said Sharma.

Common virus

“I received the virus on my laptop and phone. Apparently my Bluetooth device wasactive. The technician who repaired my phone told me this was a common virus, whichhad simply been renamed The Da Vinci Code to attract the users,” said 35-year-oldSanjay Menon.

Abhishek Datta, a software expert, said, “Once a phone is affected, formatting is the onlyoption. You cannot retrieve your data.”

Conclusion

In conclusion, it might be a modified Caribe or Commwarrior that repack with corrupted binaries to disable the phone from startup.

Seems that "Da Vinci Code" really a good naming for mobile viruses for now as thismovie quite prestigious in "Cinema Heat"!

Will we have "Mutant-X", "Mission Impossible 3" etc as mobile phone viruses in the

future? Let see how creative are those nasty creator then!












Recommendations

1. An anti-virus with REAL TIME PROTECTION will provide you with tight security.

2. Turn your bluetooth detection mode in "Hidden" or "Invisible" mode or just switch itoff if it's not necessary.

3. Never try to install an unknown file and proceed to the installation step.

4. Backup your data from time to time just in case...

5. Please beware of any MMS that come with *.SIS file attachment. Delete it if it's quitesuspicious.





SymbOS\Splashstall

Description:

SymbOS\Splashstall is the latest mobile trojan that attack S60 devices from booting up.

For those innocent user who proceed to the installation step by agreeing and passing thesecurity check, his phone will straight away infected by this malware and the phone willstart to reboot itself and it will permanently disable from booting up to the starup menu.

The most interesting part that catching my attention is, while the phone is being rebootedafter infected by this malware,a scary and funny sound will be played "hahaha" then. One's might get shocked if heinstall this application at night!

Affected Platforms:

Tested on:

- Nokia 6680- Nokia 3660

Affected:

- Nokia 6680- Nokia 3660


This trojan was distributed in an application file and it is spreading in Nokia Theme.SIS

Symptoms:




Method of Infection

This malware is trying to replace corrupted binaries to the startup system . As a result, the phone will be permanently disable from boot up and it will display a message "Phone

Startup-failed, Contact your retailer!".

This malware also drop a sound file into the phone system, while the trojan executed,the sound file will be play then. I assume that this sound file is to make fool on thoseinnocent users who get tricked by this trojan and his phone can't boot up to normal starupmode permanently.

Prevention:

This suspicious Symbian application needs user intervention to be installed on target

devices. Upon execution, it prompts the user to install the application the phone. It also prompts the user to select where the said application is to be installed. As always, usersshould never install third party application from unknown site.

How to uninstall:

There is no known method to fix this trojan except hard formatting the infected device.All data will be lost upon formatting.





For Symbian OS v6.1 such as NOKIA 3650/3660/N-GAGE/QD/Siemens SX-1. There isno known method to fix it except flashing the firmware.






Commwarrior.Q a.k.a "Matrix Commwarrior"

When the Commwarrior.Q SIS file is installed, it will drop the its executable with arandom name, for example 5k8jb1fo.exe, either into C:\ or to a directory that has arandom name such as C:\uqxo5dh7xtyc5.

InstallationWhen the Commwarrior.Q executable is executed it will copy itself toC:\System\Libs\cw.exe and will create a bootstrap file to C:\system\Recogs\cw3rec.mdl.If a memory card is present then the same files are created also to the memory card.

Replacing operator logoCommwarrior.Q creates a bitmap file with the name used by the current operator intoC:\system\Apps\Phone\oplogo\This bitmap file is then shown instead of the operator logo when the phone is on thenetwork.

Generating SIS installation packages to send to other devicesCommwarrior.Q replicates in SIS installation packages over Bluetooth and MMS in samemanner as previous variants.SIS files created by Commwarrior.Q have a random name, for example, anyrah5y.sis or xyr88b0muh7.sis.A Commwarrior.Q SIS file contains the worm main that has random name and is either inC:\ or randomly named directory.SIS files created by Commwarrior.Q have a random size between 32100 and 32200

bytes.

Unlike previous variants of Commwarrior, Commwarrior.Q does not use a static productname that is shown during installation.Previous variants always showed the same name, thus making them easy to identify. TheCommwarrior.Q contains an internal list of strings that is used to generate random, but plausible looking filenames.

The filenames are composed of three component string arrays that are stored in the main binary in obfuscated form.The string arrays are:

smart,nokia,symbian,nice,fatal,cool,c00l,virtual,f inal,safe,abstract,static,zend,jedi,trend,micro,mega,hard,ni ce,good,lost

www,web,wap,e-mail,mail,game,graphics,java,hood,sex,max,audio,memory,RAM,ROM,HDD,WinAmp,jedi,hardware,disp lay,keyboard,key

antivirus,anti-virus,guard,fucker,hacker,cracker,checker,driver,m anager,uninstaller,



remover,engine,tool,machine,box,stuff,videoplayer, player,trust,ringtone,explorer,timer,game,AppMan,recorder,dictaphone,team,images,calculator,objects,documents,clips,docs

Replication over Bluetooth

Comwarrior.Q replicates over Bluetooth in SIS files that have a random name, for example, anyrah5y.sis or xyr88b0muh7.sis.The SIS file contains the worm main that has a random name and is either in C:\ or randomly named directory.

The SIS file contains autostart settings that will automatically execute Commwarrior.Qafter the SIS file is installed.

When Comwarrior worm is activated it will start looking for other bluetooth devices, andsend a copy of itself to each of these phonestargeting several phones at one attempt.

If a target phone goes out of range or rejects file transfer, commwarrior will search for another phone.

The replication mechanism of Comwarrior is different than in Cabir. The Cabir wormlocks into one phone as long as it is in range, anddepending on the variant will either look another variant after losing contact or staylocked.

The Comwarrior worm will constantly look for new targets, thus it is able to contact all phones in range.

Replication over MMSCommwarrior.Q uses three strategies for spreading over MMS messages.

First, when Commwarrior.Q starts, it starts to go through the phone's address book andsends MMS messages to phone numbers that are marked as a mobile phone.

Commwarrior.Q listens on any arriving MMS or SMS messages and replies to thosemessages with an MMS message containing the Commwarrior.Q SIS file.

The worm also listens for any SMS messages being sent by the user and sends an MMSmessage to the same number, right after the SMS message.

The texts in MMS messages sent by Commwarrior.Q contain texts that are stored in the phone Messaging Inbox, thus the messages that Commwarrior.Q sends are texts that thereceiving user might expect from the sender.

Displaying HTML PageAfter Commwarrior.Q has infected the phone it will, after a random delay, create an



HTML page that it will display itself to the user using the phone's default browser. TheHTML page is created into directory C:\system\Libs\cwinfo.html

Replication to MMC CardCommwarrior.Q "listens" for any MMC cards to be inserted into the infected phone, andcopies itself to the inserted card. The infected card contains both the Commwarrior executable and the bootstrap component, so that if the infected card is inserted intoanother phone it will also be infected.

Replication by infecting other SIS filesCommwarrior.Q searches the device C: drive and memory cards for SIS installation files,

and will infect all SIS files that it finds. The infected SIS files will be wrapped byCommwarrior.Q so that if the user installs the infected SIS file, Commwarrior.Q willinstall first followed by the original application.

Infected SIS file will retain the orignal product name so that user will not notice that theSIS package is infected with Commwarrior.Q when installing it.

Removal Steps:

Kill Commwarrior Process

1. Install a third-party file manager. For example FExplorer 2. Start FExplorer 3. Select and copy any file to clipboard* Navigate file system with navigation button. Press right to enter directory, left to leavedirectory.* Select C: and press right, select system and press right* Select any file from c:\system such as backup.xml* Select Edit/Copy from menu



4. Copy the file to E:\system\temp* Press left until you are at filesystem selection screen* Select E: and press right* Select System and press right, and then temp and press right* Select Edit/Paste from menu

5. Rename the file to noboot* Select File/Rename from menu* Rename the copied file to noboot6. Reboot the phone

Install F-Secure Mobile Anti-Virus to finish cleaning up your phone

Download the file and select open after downloadInstall F-Secure Mobile Anti-VirusGo to Applications Menu and start Anti-VirusActivate Anti-Virus and scan all files



Documents

Moblie Virus Descriptions