MOBILE VIRUS !!!

Again I would like to acknowledge Sir Calvin Tang the developer of calvinstinger, Rocky and Sir Eldogg for sharing this information

PHONE BOOK STEALER

Description:

This type of mobile virus is very interesting that it'll steal user phonebook data and then it will compile it into a text file and sent it through
bluetooth without user confirmation.

So far, this is the first Symbian Virus that I've seen that it will steal user data without
user confirmation and sent thorogh other bluetooth supported devices.


Affected Platforms:

Tested on:

· Nokia 6680
· Nokia 3660

Affected:

· Nokia 6680


Analysis/Observation:

This trojan was distributed in an application file and it is spreading in pbexplorer.SIS.

Symtomps:

When user try to install this suspicious *.SIS file, the image shown below is screenshoot taken during installation process:


After installation complete, the application has set to run automatically and will display the following text:

________________
| Phone Book |
| Compacting |
| by: lajel 202u |
| |
| please wait... |
|________________|

________________________
| Compacting |
| your contact(s),step 2 |
| |
| Please wait again |
| until done... |
|________________________|

After the malicious process done, it will pop out a message:

"Done!!!"

If user press [OK] the malicious program will ended itself and after some times,
it will start searching for bluetooth devices and sent all phonebook information in
text file via bluetooth.


Prevention:

This malware requires that the user intentionally install them upon the device. As always, users should never install third party application from unknown site.

How to uninstall:

By using latest version of CalvinStinger© Symbian Viruses Disinfection Tool.

Special Announcement:

Recently there is some fella from Indonesia are spreading Symbian Malwares Widely in Yahoo Group and
it's recomended not to download any file from there.

SYMBIAN TROJAN--Mabtal.A
Profimail v2.75_FULL.SIS/SymbOS Mabtal.A is a SIS file malware that pretends to be a cracked version of Profimail which is a very popular E-Mailing third party application in Symbian Platform, in fact, it is a malware which drops Mabir.A, Caribe and Fontal variants into the phone system, besides, it also drops some corrupted binaries file which causing the phone auto-restart and showing fatal error message. Next the phone will fail to boot-up permanently.

Suspicious file tested using the following handsets:

NOKIA 3660 (Symbian OS 6.1)
NOKIA 6680 (Symbian OS 8.0)

Positive analysis results:

While tested using the above handsets, both platform was affected. When user tries to install the suspicious file into his phone, it will look like the below image:


While installing the suspicious file, it will show a message as shown below:


This suspicious file automatically installed all files into the phone memory. Cabir virus will start spreading via bluetooth and keeps listening if any incoming message arrives in the phone, when any SMS/MMS message arrives in the phone, mabir.A virus will immediately sent itself out via MMS for spreading purpose.

When user tries to access the Profimail and ProfiExplorer third party application, it may display an error message as shown below:


After it has successfully restart, due to the corrupted fonts, the device can't boot up permanently.

By using the hash-number-matching method, the following files was proved to be a malware files while analyzing work is in progress:

11x12 euro_fonts.gdr detected as SymbOS.Fontal.A
CARIBE0.APP detected as SymbOS.Mabir.A
CARIBE0.RSC detected as SymbOS.Cabir
flo0.mdl detected as SymbOS.Mabir.A
flo.mdl detected as SymbOS.Mabir.A
caribe.app detected as SymbOS.Mabir.A
caribe.rsc detected as SymbOS.Cabir
Appinst.app detected as SymbOS.Cabir.U2
Appinst.aif detected as SymbOS.Cabir.U2


This malware doesn't come with any valid digital certificate but it can replicate itself via bluetooth or MMS(Mabir.A) and it will cause severe damage to Symbian OS 6.1 handsets!

SplinterCell-ChaosTheory_S60_cracked-XiMPDA.SIS OR SymbOS/Skudoo.A
This is a Series 60 trojan that installs skulls trojan, MGdropper, Commwarrior, Doomboot.A and cabir into the targeted device. When this trojan executed, most of application in the phone being replaced by a non-functional or corrupted files by the trojan into the phone, causing application can't run as usual. It fails to attack NOKIA 6680 while the phone has been restarted. Anyway, McAfee AVERT mentioned that this trojan will cause the phone fail to reboot on the next restart by the user.

It is also the first mobie trojan in the world which capable propagates MGDropper virus and Commwarrior virus vice-versa.


It contains also the image as shown below while I have extracted the *.SIS file:

Some of the blank icon that the trojan drops actually is coded to auto restart the phone, when the phone has been restarted, the menu function of the phone can't no longer be function and thus this totally lock the whole phone.

When user tries to installs the trojan into the phone, the symptoms are as shown below:


While installing the suspicious file into the phone, it will pop up a message as shown below:

This virus claims to be a third party application but in fact, it is a trojan which drops several non-functional system file and corrupted fonts into the phone system, causing puzzle-like and blank icon shown in the phone.

User should take alert about this suspicious file when the following symptoms as shown in the image below:

When user try to install it into the phone:



Such message popping out in the installation process:


The phone will look like this:


Never click on the blank icon as it would automatically restart the phone which causing the phone fail to reboot next time due to malware attacks.

This malware spreading in Fontal.C.sis

Virus tested and information write up by Calvin on 29 July 2005 ©

[center]Blankfont.A is a SIS file trojan that installs corrupted Font file into infected device. The corrupted font does not cause device to crash, but if the device is rebooted it will lose the system font, and is unable to display user interface texts.


If a phone is infected with Blankfont.A, it must not be rebooted as the trojan will corrupt system font and make disinfection quite difficult. If the phone is rebooted it can still be disinfected but, doing so is rather difficult as there is no text on the screen.

Spreading in Rally_2.sis

[center]Description:

Symbian/Skudoo.C-D are Skulls variants with parts of Doomboot. Variant C also drops Commwarior.B. Variant D drops MGDropper. They appear to be repackaged collections of recent malware.

Affected Platforms:

Tested on:

· Nokia 6600

Affected:

· Nokia 6600

Payload

The Skulls and MGDropper files will disable native system applications and some third-party applications. The dropping of Doomboot will cause the device to be unable to reboot, therefore, once the device has been restarted the impact of the Skulls and MGDropper files is no longer an issue.The CommWarrior that is dropped by Skudoo.C will spread.


Figure 1 Desktop screen of Skudoo.C


Analysis/Observation

Both variants have filenames implying that they are pirated versions ofvideo games. Variant C claims to be a cracked version of Need for Speed1. Variant D claims to be "Carmageddon_3D_s60_BETA.sis".

Prevention

Both variants require that the user intentionally install them upon the device. As always, users should never install unknown or un-trusted software. This is especially true for illegal software, such as cracked applications-they are a favorite vector for malware infection.

How to uninstall

If the device has been rebooted then a hard-reset must be performed for recovery.

For Skudoo.D, as all malicious files are installed the external phone card, removing the card will restore full use of the phone.

[center]Description:

Symbian/Skudoo.E-F are Skulls variants with parts of Doomboot and BlankFont.Variant E also drops Commwarior.B. They appear to be repackagedcollections of recent malware.

AffectedPlatforms:

Tested on:

· Nokia 6600
· Nokia 7610

Affected:

· Nokia 6600
· Nokia 7610

Payload:

The Skulls files will disable native system applications and some third-party applications. The dropping of Doomboot and BlankFont will cause the device to beunable to reboot, therefore, once the device has been restarted the impact of theSkulls files is no longer an issue. The CommWarrior that is dropped by Symbian/Skudoo.E will spread.



Figure 1 Virus.jpg dropped by Skudoo.F

Analysis/Observation:

Symbian/Skudoo.E is distributed in a sis file named "pop corn.sis". Variant F is distributed in a sis file named "Rally 3.sis".

Prevention:

Symbian/Skudoo.E requires that the user intentionally install them upon the device.As always, users should never install unknown or un-trusted software. This is especially true for illegal software, such as cracked applications-they are a favorite vector for malware infection.

How to uninstall:

If the device has been rebooted then a hard-reset must be performed for recovery.

Virus analysis report write up by Mobile Phone Anti-Virus Team on 26th August 2005 ©