SymbOS malware info ALL!!

Status
Not open for further replies.
N

neerajvohra

Banned
Well I had seen tht there is no system malware info in the Best forum Of techies!!

Well This Topic will Contain all the info Regarding all the viruses and trojans etc

This topic Will Also Contain the methods to remove all the viruses files with the help of any one of the applications

Like Fexplorer,system explorer,SeleQ etc !!

Here Is the Beginning!!

And I dont Have any source as its being collected by me Through Many sites!!

Hope This will Help symbian Phone users!!

Cabir.A

Info

Cabir is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the Caribe.sis file the worm activates and starts looking for new devices to infect over bluetooth.

When Cabir worm finds another bluetooth device it willstart sending infected SIS files to it, and lock to that phone so that it won't look other phones even when the target moves out of range.

Please note that Cabir worm can reach only mobile phones that support bluetooth, and are in discoverable mode.

Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

Disinfection

Delete this files:

c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
c:\system\recogs\flo.mdl
c:\system\symbiansecuredata\caribesecuritymanager\caribe.app
c:\system\symbiansecuredata\caribesecuritymanager\caribe.rsc

Cabir.B

Info

Cabir.B is a minor variant of Cabir.A the only significant difference is that the Cabir.B displays different text on the start dialog when worm starts the first time or phone reboots.

Cabir.A displays text "Caribe-VZ/29a" while Cabir.B displays text that contains just "Caribe".

There is also repacked version of Cabir.B that is packed into SIS file, which installs the worm into different directory and shows text popup at SIS install. But this is not a new variant as worm executables are fully identical to original Cabir.B and all differences are due to settings in the repacked SIS file.

Disinfection

Same as for Cabir.A

Cabir.C


Info

Cabir.C is a minor variant of Cabir.B the only significant differences are that the Cabir.C displays different text on the start dialog when worm starts and that the Cabir.C spreads as MYTITI.SIS instead of Cabir.SIS.

Cabir.C displays text "Mytiti" while Cabir.B displays text that contains just "Caribe".

Disinfection

Same as for Cabir.A

Cabir.D

Info

Cabir.D is a minor variant of Cabir.B the only significant differences are that the Cabir.D displays different text on the start dialog when worm starts and that the Cabir.D spreads as [YUAN].SIS instead of Cabir.SIS.

Cabir.D displays text "[YUAN]" while Cabir.B displays text that contains just "Caribe".

Disinfection

Same as for Cabir.A

Cabir.E


Info

Cabir.E is a minor variant of Cabir.B the only significant differences are that the Cabir.E displays different text on the start dialog when worm starts and that the Cabir.E spreads as Ni&Ai-.SIS instead of Cabir.SIS.

Cabir.E displays text "Ni&Ai-" while Cabir.B displays text that contains just "Caribe".

Disinfection

Same as for Cabir.A

Cabir.Dropper

Info

Cabir.Dropper is Symbian installation file that will install Cabir.B, Cabir.C and Cabir.D into the device and disables the Bluetooth control application. The original version of Cabir.Dropper is named Norton AntiVirus 2004 Professional.sis

The Cabir.Dropper installs different Cabir variants into several places in the device file system. Some of the installed Cabirs replace common third party applications so that if user has one of those applications installed into system it gets replaced with Cabir.D and it's Icon in the menu will go blank.

If user clicks on one of the replaced icons in the menu, the Cabir.D that has replaced that application will start and try to spread to other devices. If Cabir.D starts it will spread as Cabir.D ([YUAN].SIS) without other Cabir variants or Cabir.Dropper.

The Cabir.Dropper will also install autostart component that tries to automatically start Cabir.D upon system reboot, but fails as the autostart component points into directory that is not installed on the device.

Disinfection

Delete cabir files from:

c:\images\
c:\sounds\digital
c:\system\apps
c:\system\install
c:\system\recogs
c:\system\apps\btui
c:\system\apps\fexplorer
c:\system\apps\file
c:\system\apps\freakbtui
c:\system\apps\smartfileman
c:\system\apps\smartmovie
c:\system\apps\systemexplorer
c:\system\apps\[yuan]

Skulls.A

Info

Skulls is a malicious SIS file trojan that will replace the system applications with non-functional versions, so that all but the phone functionality will be disabled.

The Skulls SIS file is named "Extended theme.SIS", it claims to be theme manager for Nokia 7610 smart phone, written by "Tee-222".

If Skulls is installed it will cause all application icons to be replaced with picture of skull and cross bones, and the icons don't refer to the actual applications any more so none of the Phone System applications will be able to start.

This basically means that if Skulls is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function.

If you have installed Skulls, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.

Disinfection

Install third-party file manager and delete these files:

c:\System\Apps\About\About.aif
c:\System\Apps\About\About.app
c:\System\Apps\AppInst\AppInst.aif
c:\System\Apps\AppInst\Appinst.app
c:\System\Apps\AppMngr\AppMngr.aif
c:\System\Apps\AppMngr\Appmngr.app
c:\System\Apps\Autolock\Autolock.aif
c:\System\Apps\Autolock\Autolock.app
c:\System\Apps\Browser\Browser.aif
c:\System\Apps\Browser\Browser.app
c:\System\Apps\BtUi\BtUi.aif
c:\System\Apps\BtUi\BtUi.app
c:\System\Apps\bva\bva.aif
c:\System\Apps\bva\bva.app
c:\System\Apps\Calcsoft\Calcsoft.aif
c:\System\Apps\Calcsoft\Calcsoft.app
c:\System\Apps\Calendar\Calendar.aif
c:\System\Apps\Calendar\Calendar.app
c:\System\Apps\Camcorder\Camcorder.aif

c:\System\Apps\Camcorder\Camcorder.app
c:\System\Apps\CbsUiApp\CbsUiApp.aif
c:\System\Apps\CbsUiApp\CbsUiApp.app
c:\System\Apps\CERTSAVER\CERTSAVER.aif
c:\System\Apps\CERTSAVER\CERTSAVER.APP
c:\System\Apps\Chat\Chat.aif
c:\System\Apps\Chat\Chat.app
c:\System\Apps\ClockApp\ClockApp.aif
c:\System\Apps\ClockApp\ClockApp.app
c:\System\Apps\CodViewer\CodViewer.aif
c:\System\Apps\CodViewer\CodViewer.app
c:\System\Apps\ConnectionMonitorUi\ConnectionMonitorUi.aif
c:\System\Apps\ConnectionMonitorUi\ConnectionMonitorUi.app
c:\System\Apps\Converter\Converter.aif
c:\System\Apps\Converter\converter.app
c:\System\Apps\cshelp\cshelp.aif
c:\System\Apps\cshelp\cshelp.app
c:\System\Apps\DdViewer\DdViewer.aif
c:\System\Apps\DdViewer\DdViewer.app
c:\System\Apps\Dictionary\Dictionary.aif
c:\System\Apps\Dictionary\dictionary.app
c:\System\Apps\FileManager\FileManager.aif
c:\System\Apps\FileManager\FileManager.app
c:\System\Apps\GS\GS.aif
c:\System\Apps\GS\gs.app
c:\System\Apps\ImageViewer\ImageViewer.aif
c:\System\Apps\ImageViewer\ImageViewer.app
c:\System\Apps\location\location.aif
c:\System\Apps\location\location.app
c:\System\Apps\Logs\Logs.aif
c:\System\Apps\Logs\Logs.app
c:\System\Apps\mce\mce.aif
c:\System\Apps\mce\mce.app
c:\System\Apps\MediaGallery\MediaGallery.aif
c:\System\Apps\MediaGallery\MediaGallery.app
c:\System\Apps\MediaPlayer\MediaPlayer.aif
c:\System\Apps\MediaPlayer\MediaPlayer.app
c:\System\Apps\MediaSettings\MediaSettings.aif
c:\System\Apps\MediaSettings\MediaSettings.app
c:\System\Apps\Menu\Menu.aif
c:\System\Apps\Menu\Menu.app
c:\System\Apps\mmcapp\mmcapp.aif
c:\System\Apps\mmcapp\mmcapp.app
c:\System\Apps\MMM\MMM.app
c:\System\Apps\MmsEditor\MmsEditor.aif
c:\System\Apps\MmsEditor\MmsEditor.app
c:\System\Apps\MmsViewer\MmsViewer.aif
c:\System\Apps\MmsViewer\MmsViewer.app
c:\System\Apps\MsgMailEditor\MsgMailEditor.aif
c:\System\Apps\MsgMailEditor\MsgMailEditor.app
c:\System\Apps\MsgMailViewer\MsgMailViewer.aif
c:\System\Apps\MsgMailViewer\MsgMailViewer.app
c:\System\Apps\MusicPlayer\MusicPlayer.aif
c:\System\Apps\MusicPlayer\MusicPlayer.app
c:\System\Apps\Notepad\Notepad.aif
c:\System\Apps\Notepad\Notepad.app
c:\System\Apps\NpdViewer\NpdViewer.aif
c:\System\Apps\NpdViewer\NpdViewer.app
c:\System\Apps\NSmlDMSync\NSmlDMSync.aif
c:\System\Apps\NSmlDMSync\NSmlDMSync.app
c:\System\Apps\NSmlDSSync\NSmlDSSync.aif
c:\System\Apps\NSmlDSSync\NSmlDSSync.app
c:\System\Apps\Phone\Phone.aif
c:\System\Apps\Phone\Phone.app
c:\System\Apps\Phonebook\Phonebook.aif
c:\System\Apps\Phonebook\Phonebook.app
c:\System\Apps\Pinboard\Pinboard.aif
c:\System\Apps\Pinboard\Pinboard.app
c:\System\Apps\PRESENCE\PRESENCE.aif
c:\System\Apps\PRESENCE\PRESENCE.APP
c:\System\Apps\ProfileApp\ProfileApp.aif
c:\System\Apps\ProfileApp\profileapp.app
c:\System\Apps\ProvisioningCx\ProvisioningCx.aif
c:\System\Apps\ProvisioningCx\ProvisioningCx.app
c:\System\Apps\PSLN\PSLN.aif
c:\System\Apps\PSLN\PSLN.app
c:\System\Apps\PushViewer\PushViewer.aif
c:\System\Apps\PushViewer\PushViewer.app
c:\System\Apps\Satui\Satui.aif
c:\System\Apps\Satui\Satui.app
c:\System\Apps\SchemeApp\SchemeApp.aif
c:\System\Apps\SchemeApp\SchemeApp.app
c:\System\Apps\ScreenSaver\ScreenSaver.aif
c:\System\Apps\ScreenSaver\ScreenSaver.app
c:\System\Apps\Sdn\Sdn.aif
c:\System\Apps\Sdn\Sdn.app
c:\System\Apps\SimDirectory\SimDirectory.aif
c:\System\Apps\SimDirectory\SimDirectory.app
c:\System\Apps\SmsEditor\SmsEditor.aif
c:\System\Apps\SmsEditor\SmsEditor.app
c:\System\Apps\SmsViewer\SmsViewer.aif
c:\System\Apps\SmsViewer\SmsViewer.app
c:\System\Apps\Speeddial\Speeddial.aif
c:\System\Apps\Speeddial\Speeddial.app
c:\System\Apps\Startup\Startup.aif
c:\System\Apps\Startup\Startup.app
c:\System\Apps\SysAp\SysAp.aif
c:\System\Apps\SysAp\SysAp.app
c:\System\Apps\ToDo\ToDo.aif
c:\System\Apps\ToDo\ToDo.app
c:\System\Apps\Ussd\Ussd.aif
c:\System\Apps\Ussd\Ussd.app
c:\System\Apps\VCommand\VCommand.aif
c:\System\Apps\VCommand\VCommand.app
c:\System\Apps\Vm\Vm.aif
c:\System\Apps\Vm\Vm.app
c:\System\Apps\Voicerecorder\Voicerecorder.aif
c:\System\Apps\Voicerecorder\Voicerecorder.app
c:\System\Apps\WALLETAVMGMT\WALLETAVMGMT.aif
c:\System\Apps\WALLETAVMGMT\WALLETAVMGMT.APP
c:\System\Apps\WALLETAVOTA\WALLETAVOTA.aif
c:\System\Apps\WALLETAVOTA\WALLETAVOTA.APP
c:\System\Libs\licencemanager20s.dll
c:\System\Libs\lmpro.r01
c:\System\Libs\lmpro.r02
c:\System\Libs\notification.cmd
c:\System\Libs\softwarecopier200.dll
c:\System\Libs\ZLIB.DLL

Skulls.B

Info

Skulls.B is a variant of SymbOS/Skulls.A trojan, which has similar functionality to the Skulls.A but uses different files.

Skulls.B is a malicious SIS file trojan that will replace the system applications with non-functional versions and drops SymbOS/Cabir.B worm in to the phone.

The Cabir dropped by Skulls.B does not activate automatically, but if user goes to the cabir icon in the phone menu and runs Cabir from there. The Cabir.B will activate and try to infect other phones.

The Original Skulls.B SIS file is named "Icons.SIS". Unlike Skulls.A, the Skulls.B variant does not show any pop-up messages during install (except the "Installation security warning - unable to verify supplier" message shown by the operating system).

The Skulls.B replaces standard application icons with generic application icon instead of skull and cross bones like Skulls.A did.

If Skulls.B is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function. And in addition of applications being disabled the phone is also infected with Cabir.B, which fortunately, is not able to activate automatically.

If you have installed Skulls.B, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.

Disinfection

Same as for Skulls.A, but you need to delete a few more folders:

c:\system\apps\CamTimer\camtimer.app
c:\system\apps\CamTimer\camtimer.rsc
c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
c:\system\recogs\flo.mdl
c:\system\symbiansecuredata\caribesecuritymanager\caribe.app
c:\system\symbiansecuredata\caribesecuritymanager\caribe.rsc
c:\system\symbiansecuredata\caribesecuritymanager\camtimer.sis

Qdial.A

Info

This Trojan on a phone is a cracked version of the Mosquitos game, which runs on phones using the Symbian Series 60 Platform.

It is obtained by downloading a copy of the game from the Internet or through peer-to-peer networks.

It sends an SMS message to specific premium rate numbers and can charge affected users for the sent messages. Apparently, the affected numbers are from the United Kingdom (UK), Germany, Netherlands, and Switzerland regions only.

Unlike worms, it does not spread itself to other contacts in the phone.

Disinfection


Quit the Mosquitos game then perform the uninstallation procedure of the program.

-------------------------------------------------------------------------------------
Malware file sizes:

Cabir.A - 14.7kb
Cabir.B - 14.7kb
Cabir.Bv2 - 9.63kb
Cabir.C -
Cabir.D -
Cabir.E -
Cabir.Dropper -
Qdial.A - 137kb
Skulls.A - 1.13mb
Skulls.B - 775kb

-------------------------------------------------------------------------------------
I will try to keep this thread up to date.
You can post anything related to malware in this thread, but posts asking for malware sharing will be deleted.
 
OP
N

neerajvohra

Banned
Cabir.H

Cabir.H is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

The Cabir.H variant is a recompiled version of the original Cabir, the main difference being that Cabir.H has fixed replication routine and is capable of spreading faster than earlier variants.

Cabir.H replicates over bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm. When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over bluetooth.

When Cabir worm finds another bluetooth device it will start sending infected SIS files to it, as long as the target phone is in range. Unlike earlier variants of Cabir, the Cabir.H is capable of finding a new target, after the first one has gone out of range. Thus the Cabir.H will most likely spread faster than previous variants, if ever found in the wild.

Cabir.I

Cabir.I is a minor variant of Cabir.H being functionally identical to Cabir.H variant, with the exception that the I variant is recompiled and uses different binary.

Cabir.J

Cabir.J is a minor variant of Cabir.H being functionally identical to Cabir.H variant, with the exception that the I variant is recompiled and uses different binary
 
OP
N

neerajvohra

Banned
Cabir.M

Cabir.M is a minor variant of Cabir.B the only significant differences are that the Cabir.M displays different text on the start dialog when worm starts and that the Cabir.M spreads as free$8.SIS instead of Cabir.SIS.

Cabir.M displays text "free$8" while Cabir.B displays text that contains just "Caribe".

Skulls.D

Skulls.D is a malicious SIS file trojan, that pretends to be Macromedia Flash player for Symbian Series 60 devices.

*www.f-secure.com/virus-info/v-pics/skulls_d_message.jpg

Skulls.D drops SymbOS/Cabir.M worm into the phone, disables system applications and third party applications needed to disinfect it and displays animation that shows flashing skull picture.

Unlike earlier Skulls versions the Skulls.D disables only few phone system applications. The only system applications that are disabled, are the ones that are needed in disinfecting it.

The third party applications disabled by Skulls, are ones that user would need to disinfect his phone, if it got infected by skulls. However for some reason Skulls.D copies the replacement files to the device memory card, thus disabling the tools only if user has not installed them on the C: drive.

Skulls.D tries to disable F-Secure Mobile Anti-Virus by replacing it's files with non-functional versions. However as F-Secure Mobile Anti-Virus is capable of detecting Cabir.M contained by Skulls using generic detection. The Anti-Virus will detect the infected SIS file and prevent it from being installed. Provided that the Anti-Virus is in realtime scan mode as it is by default.

The Cabir.M worm dropped by Skulls.D is already detected with generic detection as Cabir.Gen. So the Skulls.D is already detected and stopped without need for updated Anti-Virus database.

The Cabir.M dropped by Skulls.C does not activate automatically, but will activate on reboot.

The Skulls.D does also drop other application that will activate on device reboot, this application displays animation of flashing Skull picture on background, no matter what application user is trying to use.

*www.f-secure.com/virus-info/v-pics/skulls_d_skull_blink.jpg
 
OP
N

neerajvohra

Banned
Lasco.A

Lasco.A is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

The Lasco.A is based on the same source as Cabir.H and is very similar to it. The main difference between Cabir.H and Lasco.A is that in addition of spreading with bluetooth, Lasco.A will insert itself to any SIS files it finds in the device.

Lasco.A replicates over bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm. When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over bluetooth.

When Lasco worm finds another bluetooth device it will start sending infected SIS files to it, as long as the target phone is in range. Like Cabir.H,Lasco.A is capable of finding a new target, after the first one has gone out of range.

Replication

Lasco.A replicates over bluetooth in velasco.sis file that contains the worm main executable velasco.app, system recognizer marcos.mdl and resource file velasco.rsc. The SIS file contains autostart settings that will automatically execute velasco.app after the SIS file is being installed.

The velasco.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.

When the Lasco.A worm is activated it will start looking for other bluetooth devices, and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range the Lasco.A will continue searching and infecting other phones.

This modification in the replication mechanism, will make it more likely that Lasco.A will spread quickly once in the wild.

Infection

When the velasco.sis file is installed the installer will copy the worm executables into following locations:
c:\system\apps\velasco\velasco.rsc
c:\system\apps\velasco\velasco.app
c:\system\apps\velasco\flo.mdl

When the velasco.app is executed it copies the following files:
flo.mdl to c:\system\recogs
velasco.app to c:\system\symbiansecuredata\velasco\
caribe.rsc to c:\system\symbiansecuredata\velasco\

This is most likely done in case user installs the application to memory card, or to avoid user trying to disinfect the worm by uninstalling the original SIS file.

Then the worm will recreate the velasco.sis file from worm component files and data blocks that are in velasco.app.

After recreating the SIS file the Lasco.A will search for all SIS files in the device, add itself into those files and modify the SIS file header so that the Lasco.A embedded into target SIS files will activate automatically upon install of that SIS file into the device.
 
OP
N

neerajvohra

Banned
CommWarrior.A

Security experts have reported that they are analysing what is believed to be the first mobile phone virus able to replicate via Multimedia Messaging Service (MMS).The malicious code, dubbed CommWarrior, runs on the Symbian Series 60 smartphone operating system and can spread using multimedia messages that include an image, audio or video which is sent from one phone to another or by email."Phone viruses so far have been spreading over Bluetooth, so they only affect phones that are within a few metres. A MMS virus can potentially go global in minutes, just like an email worm," warned F-Secure's antivirus laboratory.F-Secure said that it will post more detailed analysis on CommWarrior after investigating the code more closely.

This virus is still under analysis. We've seen two different versions so far.

The virus drops these files:


\system\apps\CommWarrior\commwarrior.exe
\system\apps\CommWarrior\commrec.mdl


\system\updates\commrec.mdl
\system\updates\commwarrior.exe
\system\updates\commw.sis

It contains these texts:


CommWarrior v1.0 (c) 2005 by e10d0r
OTMOP03KAM HET!

The text "OTMOP03KAM HET!" is Russian and means roughly "No to braindeads".

Problem vith this virus can be even vorse because installation file can be found really easy on the Internet because author so called "e10d0r" made even website for this mallware.
 
OP
N

neerajvohra

Banned
Locknut.B

Locknut.B is a malicious SIS file trojan that pretends to be patch for Symbian Series 60 mobile phones.

When installed Locknut.B drops a binary that will crash a critical System component, that will prevent any application from being launched in the phone. Thus effectively locking the phone.

The Locknut.B will also drop a copy of Cabir.V into the device, but it will not start automatically. And is harmless anyway as the Locknut.B kills all applications on the infected phone, including Cabir.V that is installed from the same SIS file.

Even if Locknut.B is disinfected the Cabir.V still wont start, as it is installed into wrong directory in the infected phone.

If user starts Cabir.V manually, after disinfecting locknut, the Cabir.B will spread as pure Cabir.V and will not transfer Locknut.B into other devices.

Detailed Description

Installation to system Locknut.B is a SIS file that crashes critical system ROM binary with non-functional stub file. When Locknut.B sis file is installed the files will be installed into following locations:
c:\system\apps\gavnor\gavnor.app
c:\system\apps\gavnor\gavnor.rsc
c:\system\apps\gavnoreturn\flo.mdl
c:\system\apps\gavnoreturn\gavnoreturn.app
c:\system\apps\gavnoreturn\gavnoreturn.rsc
c:\system\apps\gavnoreturn\gavnoreturn_caption.rsc

Some of the file dropped by Gavno contain texts, intended as messages from trojan author.

Spreading in MMFpatch.sis

Payload Locknut.B drops corrupted binary file that will cause crash in a critical operating system component. The locknut.B also drops Cabir.V, which does not start on the phone, unless executed on purpose after disinfection.


Drever.A

Drever.A is a malicious SIS file trojan that disables the automatic startup from Simworks and Kaspersky Symbian Anti-Virus softwares. Currently it is still unverified whether either of these softwares have protection against such attacks.

Drever.A does not affect F-Secure Mobile Anti-Virus.


Disinfection

Drever.A can be disinfected easily by using F-Secure Mobile Anti-Virus available from *www.f-secure.com/estore/avmobile.shtml

Or you can uninstall it by uninstalling the Drever SIS file with application manager


1. Open the application manager

2. Uninstall antivirus.sis, if your menu shows several applications with that filename, choose the one that has smallest size

3. Re-install your Anti-Virus

Spreading in Anti-Virus.sis

Payload Drever.A drops non-functional copies of the bootloaders used by Simworks Anti-Virus and Kaspersky Symbian Anti-Virus. These non-functional copies overwrite the original files, causing target softwares not to load automatically when the phone boots.
 
OP
N

neerajvohra

Banned
Mabir.A

Mabir is a worm that operates on Symbian Series 60 devices, the Mabir worm is capable of spreading both over Bluetooth and MMS messages.

When Mabir.A infects a phone it will start searching other phones that in can reach over Bluetooth and send infected SIS files to the phones it finds.

The SIS files that files that Mabir.A sends have always the same file name "caribe.sis". Please note that while Mabir.A uses the name SIS file name as original Cabir worms, it is different worm than Cabir.

In addition of spreading over bluetooth the Mabir.A will also listen for any MMS or SMS messages that arrive to the infected phone. And respond to those messages with MMS message that contains Mabir as "info.sis".

The MMS messages that Mabir sends do not contain any text message, only the info.sis file

The MMS messages are multimedia messages that can be sent between Symbian phones and other phones that support MMS messaging. As the name says the MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.

Replication over bluetooth

Mabir replicates over bluetooth in SIS files that are always named caribe.sis, the SIS file contains the worm component files caribe.app, caribe.rsc and flo.mdl.

The SIS file contains autostart settings that will automatically execute caribe.app after the SIS file is being installed, thus starting the worm.

When Mabir worm is activated it will start looking for other bluetooth devices, and start sending itself to first phone it finds. If target phone goes out of range or rejects file transfer, will still try to send messages to the same phone.

Replication over MMS

Mabir replicates over MMS by sending MMS messages that contain infected SIS file to other users. The MMS messages contain Mabir SIS file with filename info.sis.

The MMS sending is triggered by MMS or SMS message that arrives to the phone, causing Mabir to send itself as MMS message to the number from which the message arrived from. Thus the Mabir tries to fool the receiver that it has been sent as reply to the message that user sent to the infected phone.

The Mabir worm does not use any texts in the MMS messages it sends.

Infection

When the Mabir SIS file is installed the installer will copy the worm executables into following locations:

\system\apps\Caribe\Caribe.app

\system\apps\Caribe\Caribe.rsc

\system\apps\Caribe\flo.mdl

When the Mabir.exe is executed it copies the following files:

\system\symbiansecuredata\caribesecuritymanager\Caribe.app

\system\symbiansecuredata\caribesecuritymanager\Caribe.rsc

And rebuilds it's SIS file to:

\system\symbiansecuredata\caribesecuritymanager\Info.sis

After recreating the SIS file the worm starts to look for all visible bluetooth devices and start waiting for arriving SMS or MMS messages.
 
OP
N

neerajvohra

Banned
Fontal.A

Fontal.A is a SIS file trojan that installs corrupted Font file into infected device, thus causing the device to fail at next reboot.

If a phone is infected with Fontal.A, it must not be rebooted as the trojan will prevent the phone from booting again. If the phone is rebooted, it will try to boot, but will be forever stuck on phone startup and cannot be used.

In addition of installing the corrupted font file the Fontal.A also damages the application manager so that it cannot be uninstalled, and no new applications can be installed before the phone is disinfected.

Disinfection

Disinfection

F-Secure Mobile Anti-Virus will detect Fontal.A and delete the trojan components.

1. Open web browser on the phone
2. Go to *mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files

After disinfecting you phone, you can remove remaining empty directories by going to application manager and uninstalling the SIS file in which Comwarrior arrived (Kill Saddam By OID500.sis)

Manual disinfection

1. Install file manager on the phone
2. Go to c:\System\apps\appmngr
3. Delete appmngr.app
4. Go to the application manager
5. Uninstall the SIS file in which the Fontal.A was installed in

Spreading in Kill Saddam By OID500.sis

Infection

When the Fontal.A SIS file is installed the installer copies files into following locations:

\system\apps\appmngr\appmngr.app

\system\apps\kill sadam\kill sadam.app

\system\apps\fonts\kill sadam font.gdr

The appmngr.app is non-functional file that disables application manager, the kill sadam.app is hexedited utility that has been modified to show text reboot, and has no other significant function for the trojan.
 
D

digen

Youngling
Mate your intentions are great & I hope everyone appreciates it but every single piece of info has been taken from somewhere else[I believe its F-secure blog]
& I want you to either include the link everywhere or a single bold link at the very start if its from a single source.
 
Status
Not open for further replies.
Top Bottom