×

Discussion Board

Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Mobile Virus Info and Solution

    Mobile Virus Info and Solution

    --------------------------------------------------------------------------------

    Guys, I am starting a New Thread "Mobile Virus Information and Solution". This thread is applicable for all the cell phone falls under S60 series or has Symbian OS installed.

    Hoping that this will help in getting rid of nasty programs which makes a cell phone to behave abnormally.

  2. #2
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up

    First of all leme give information on programs not to be installed on ur cell phones here it goes:

    Mosquitos cracked By Soddom.sis
    Mosquitos cracked By Soddom v2.0.sis
    Camtimer.sis
    Crazy!.sis
    [YUAN).sis
    22207-.sis
    Guan4u.sis
    Fuynuan.sis
    ILoveU.sis
    Mytti.sis
    Ni&Ai.sis
    -Sexy-.sis
    Mobile.sis
    Norton Antivirus 2004 Professional.sis
    Extended Theme Manger.sis
    Icons.sis
    Caride2005.sis
    F-cabir.sis(It`s maybe a virus renamed)


    And here some Java virus:
    Java.BeanHive
    Java.BackOrifice
    Java.MinThread
    Java.NoCheat
    Java.StartPage
    JavaApp.Strange Brew

    DO NOT INSTALL ANY APP OF THIS NAME LISTED B'COZ ALL OF THIS A VIRUSES!!!!!!!!!

  3. #3
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up

    Symbian anti-virus specialist SimWorks announced that it has identified 52 previously unknown trojans for the Symbian platform, more than all of the trojans and other malware for Symbian based devices combined identified to date. The trojans appear to be ******* versions of popular Symbian applications such as BitStorm, BugMe!, Cosmic Fighter, 3D Motoracer and SplashID. In addition to the installation files for the application itself, the files also include various versions of previously known malware such as Cabir and Locknut. SimWorks CEO Aaron Davidson says “This is a significant development as until now we've usually found mobile trojans two or three at a time at the most. It would be easy for a malware writer to create 1 trojan and give it 52 different names however this is not the case here where we have 52 separately ******* and infected applications. Somebody has gone to an awful lot of time and effort to turn these out”.
    “Previous mobile viruses have either been able to spread but cause no harm or alternatively have been able cause significant harm but not able to spread.


    It may be that producing large numbers of harmful trojans such as those we discovered today is a reaction by the writers to their inability to produce destructive viruses that can effectively
    spread. Obviously by producing large numbers of these things you greatly improve the odds of someone actually downloading and installing them”. SimWorks has yet to receive any reports of the 52 trojans identified today in the wild. “Until reports are received of these trojans in the wild there is little risk to end users” says Davidson. “From all appearances however these are ready to release now and putting all 52 onto a single site would make downloading from it like playing Russian roulette with your phone. Every other file could contain something that could cause your phone to be corrupted requiring a factory reset or worse and the loss of all your contacts and other data”.

    All of the trojans identified are targeted at Series 60 phones using Symbian OS v6.1 or newer such as the Nokia 3650, 6600 and 6630. None of the trojans affect UIQ based Symbian phones such as the popular SonyEricsson P900/910 and Motorola A925/1000. SimWorks advises that the mobile phone users take the usual precautions, including never accepting files from people they do not know and never downloading applications from unknown sources and ***** sites. [A complete list of the infected files identified is attached at the end of this press release]. About SimWorks SimWorks is a Symbian anti-virus specialist and a leading developer of innovative mobile applications for the Symbian platform. SimWorks' product portfolio presently comprises SimWorks Anti-Virus and its Subscriber Data Management System (a phone synchronisation and social networking application). SimWorks Anti-Virus is presently one of the best recognised anti-virus applications for
    Symbian UIQ and Series 60 based mobile phones. SimWorks was the first vendor to release an anti-virus product for UIQ phones and remains one of the few vendors to support both the UIQ and Series 60 platform.


    Uiq Simworks Anti-Virus
    Series 60 Simworks Anti-Virus

    Further information on SimWorks Anti-Virus, phone backup, social networking and directory service applications is available at www.simworks.biz.
    For further information contact:
    Aaron Davidson
    Chief Executive Officer
    SimWorks International
    Tel: +649 296 6290 or +64 21 557 600

    Web: www.simworks.biz

    Details of infected files identified:
    2005-04-18 22:51 92412 91040 3D_miniGolf[1].1.01*****.sis
    2005-04-18 22:59 123211 120656 6630-SnapShot2[1].03.sis
    2005-04-18 22:58 65020 63584 6630-VideoEditor210.sis
    2005-04-18 22:44 82563 81040 Auto Pilot3[1].01full.sis
    2005-04-18 22:56 92382 89392 Big-2 by__dotSiS.sis
    2005-04-18 22:57 78955 77840 BitStorm_full1[1].0-XiMpda.sis
    2005-04-18 22:57 82055 78784 Blocks_Full*****.sis
    2005-04-18 22:46 211381 210592 bluster III Full.sis
    2005-04-18 22:43 197290 193712 BounceMP3_[1]NEW.sis
    2005-04-18 22:58 69904 68224 BugMe1[1].23_Full_Dotsis.sis
    2005-04-18 22:57 92313 91280 callcheater3[1].01-XiMpda.sis
    2005-04-18 22:56 79253 77616 Chinese Star1[1].01*****.sis
    2005-04-18 22:45 192439 190256 ControlFreak2[1].0_Full.sis
    2005-04-18 22:53 107010 106192 CosmicFighter3[1].0.sis
    2005-04-18 22:56 92456 87328 CosmicFighter_*****.sis
    2005-04-18 22:52 107524 106640 Digital Red Bowling.sis
    2005-04-18 22:47 186005 179984 DVD-to-NOKIA-6670.sis
    2005-04-18 22:50 80973 80032 DVDPlayer2[1].01_Full*****.sis
    2005-04-18 22:56 90520 85872 FaceWave5[1].0_dotSiS.sis
    2005-04-18 22:57 70084 69296 FlashLite[1].v1.1full*****.sis
    2005-04-18 22:51 82469 80912 FreeCall_1[1].01-XiMpda.sis
    2005-04-18 22:50 82352 80016 Fscaller5[1].01_Full_dotSiS.sis
    2005-04-18 22:44 70868 69136 Funny Drawer2[1].00_Full.sis
    2005-04-18 22:57 72303 70864 gina-v1[1].1full*****.sis
    2005-04-18 22:55 82590 81488 HeliAttac101_Full_dotSiS.sis
    2005-04-18 22:56 69410 68976 ImagePlus2[1].15_Full.sis
    2005-04-18 22:55 253882 250960 Mahjong2[1].34.sis
    2005-04-18 22:56 108969 105440 Mahjong301_Full_QmzXiz.sis
    2005-04-18 22:49 77807 77088 matefinder_1[1].01-XiMpda.sis
    2005-04-18 22:46 75691 74704 MessageStorer_*****.sis
    2005-04-18 22:55 83206 79104 MotoRacer_Full.sis
    2005-04-18 22:42 241210 240672 Mumsms4[1].01_XimPDA.sis
    2005-04-18 22:46 75007 73552 pocketdictionary_V1.sis
    2005-04-18 22:54 83551 80912 PowerGprs_3[1].01-dotSis.sis
    2005-04-18 22:47 72056 68928 Quicksheet_*******_S60.sis
    2005-04-18 22:53 253912 252160 RubiksCube1[1].19*****.sis
    2005-04-18 22:42 185078 184608 Smart Movie263 S60[6630].sis
    2005-04-18 22:47 69654 68832 SmartLauncher2[1].06s70.sis
    2005-04-18 22:47 69654 68832 SmartLauncher2[2].06s70.sis
    2005-04-18 22:54 89926 86976 Snowboard_Full*****.sis
    2005-04-18 22:44 254405 253664 Sony_Camcoder Pro_S60.sis
    2005-04-18 22:48 72010 71376 SplashID_4[1].13_S60.sis
    2005-04-18 22:48 69406 68752 Super Anti Virus 1[1].0 .sis
    2005-04-18 22:50 82176 80752 SuperMario3_Full*****.sis
    2005-04-18 22:50 79329 78528 SuperMovie1[1].0_dotSiS.sis
    2005-04-18 22:49 82795 81872 SuperMP31[1].0_dotSiS.sis
    2005-04-18 22:49 86599 84912 supperNes_1[1].0_Beta_dotSiS.sis
    2005-04-18 22:54 80253 79264 vBoy[1].v2.0.S60.oWnPDA.sis
    2005-04-18 22:49 85969 84832 VNes[1].v2.0-XiMpda.sis
    2005-04-18 22:49 97528 96960 XCaller_Full*****.sis
    2005-04-18 22:44 76269 74128 Yellow_YFtpC_2[1].33_SymTEE.sis
    2005-04-18 22:48 92329 89952 ZipMan_full2[1].0-XiMpda.sis

  4. #4
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up

    NAME: Locknut.A
    ALIAS: SymbOS/Locknut.A,Gavno.A, Gavno.B
    Summary

    Locknut.A is a malicous SIS file trojan that prentends to be patch for Symbian Series 60 mobile phones.



    When installed Locknut.A drops binaries that will crash a critical System component, that will prevent any application from being launched in the phone. Thus effectively locking the phone.



    There are also claims that Locknut would disable calling functionality, so that user couldn't make calls with infected phone. But we could not reproduce this effect with any phones we have.

    Also Locknut.A will only work with devices that have Symbian OS 7.0S or newer, devices that use Symbian OS 6.0 or 6.1 are unaffected.

    Some AV companies call this trojan Gavno, but since this word means rather vulgar term in Russian. AV community has decided to rename it as Locknut.

    There are also versions of Locknut that include Cabir.B in same SIS file, that some companies call Gavno.B. But since the actual trojan functionality is totally identical to Locknut.A we call both samples Locknut.A

    The Cabir.B included in the Locknut.A samples is harmless as the Locknut kills all applications on the infected phone, including Cabir.B that is installed from the same SIS file.

    Even if Locknut.B is disinfected the Cabir.B still wont start, as it is installed into wrong directory in the infected phone.

    If user starts Cabir.B manually, after disinfecting locknut, the Cabir.B will spread as pure Cabir.B and will not transfer Locknut.A into other devices.

    Installation to system Locknut.A is a SIS file that crashes critical system ROM binary with non-functional stub file. When Locknut.A sis file is installed the files will be installed into following locations:
    c:\system\apps\gavno\gavno.app
    c:\system\apps\gavno\gavno.rsc
    c:\system\apps\gavno\gavno_caption.rsc

    The Locknut.SIS will will also contain copy of itself that is copied into C:\ directory

    Spreading in patch_v1.sis and patch_v2.sis

    Payload Both versions of Locknut.A replace a critical system binary and the patch_v2.sis will also drop Cabir.B, which will not be able to start on the phone.

  5. #5
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    NAME: Locknut.A
    ALIAS: SymbOS/Locknut.A,Gavno.A, Gavno.B
    Summary

    Locknut.A is a malicous SIS file trojan that prentends to be patch for Symbian Series 60 mobile phones.



    When installed Locknut.A drops binaries that will crash a critical System component, that will prevent any application from being launched in the phone. Thus effectively locking the phone.



    There are also claims that Locknut would disable calling functionality, so that user couldn't make calls with infected phone. But we could not reproduce this effect with any phones we have.

    Also Locknut.A will only work with devices that have Symbian OS 7.0S or newer, devices that use Symbian OS 6.0 or 6.1 are unaffected.

    Some AV companies call this trojan Gavno, but since this word means rather vulgar term in Russian. AV community has decided to rename it as Locknut.

    There are also versions of Locknut that include Cabir.B in same SIS file, that some companies call Gavno.B. But since the actual trojan functionality is totally identical to Locknut.A we call both samples Locknut.A

    The Cabir.B included in the Locknut.A samples is harmless as the Locknut kills all applications on the infected phone, including Cabir.B that is installed from the same SIS file.

    Even if Locknut.B is disinfected the Cabir.B still wont start, as it is installed into wrong directory in the infected phone.

    If user starts Cabir.B manually, after disinfecting locknut, the Cabir.B will spread as pure Cabir.B and will not transfer Locknut.A into other devices.

    Installation to system Locknut.A is a SIS file that crashes critical system ROM binary with non-functional stub file. When Locknut.A sis file is installed the files will be installed into following locations:
    c:\system\apps\gavno\gavno.app
    c:\system\apps\gavno\gavno.rsc
    c:\system\apps\gavno\gavno_caption.rsc

    The Locknut.SIS will will also contain copy of itself that is copied into C:\ directory

    Spreading in patch_v1.sis and patch_v2.sis

    Payload Both versions of Locknut.A replace a critical system binary and the patch_v2.sis will also drop Cabir.B, which will not be able to start on the phone.

  6. #6
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    NAME: Skulls.A
    ALIAS: SymbOS/Skulls, Skulls trojan, extended theme trojan

    Summary

    Skulls is a malicious SIS file trojan that will replace the system applications with non-functional versions, so that all but the phone functionality will be disabled.

    The Skulls SIS file is named "Extended theme.SIS", it claims to be theme manager for Nokia 7610 smart phone, written by "Tee-222".

    If Skulls is installed it will cause all application icons to be replaced with picture of skull and cross bones, and the icons don't refer to the actual applications any more so none of the Phone System applications will be able to start.



    This basically means that if Skulls is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function.

    If you have installed Skulls, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.

    Installation to system Skulls SIS file does not contain any malicious code as such, it is just a Symbian Installation file that installs critical System ROM binaries into C: drive in with exact same names and locations as in the ROM drive.

    Symbian operating system has a feature which causes any file that is in C: drive replace file in ROM drive with identical name and location.

    The application files installed by Skulls are normal Symbian OS files extracted from the phone ROM. The malicious part is in the AIF (Application Info and icon) file which comes with the applications. Instead of correct AIF file the Skulls SIS will install AIF file that has Skulls and crossbones as icon and instead of real application it will point to nowhere.

    Spreading in Extended theme.sis

    Payload Replaces built in applications with non-functional ones

  7. #7
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    NAME: Skulls.B
    ALIAS: SymbOS/Skulls.B
    Summary

    Skulls.B is a variant of SymbOS/Skulls.A trojan, which has similar functionality to the Skulls.A but uses different files.

    Skulls.B is a malicious SIS file trojan that will replace the system applications with non-functional versions and drops SymbOS/Cabir.B worm in to the phone.

    The Cabir dropped by Skulls.B does not activate automatically, but if user goes to the cabir icon in the phone menu and runs Cabir from there. The Cabir.B will activate and try to infect other phones.

    The Original Skulls.B SIS file is named "Icons.SIS". Unlike Skulls.A, the Skulls.B variant does not show any pop-up messages during install (except the "Installation security warning - unable to verify supplier" message shown by the operating system).

    The Skulls.B replaces standard application icons with generic application icon instead of skull and cross bones like Skulls.A did.



    If Skulls.B is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function. And in addition of applications being disabled the phone is also infected with Cabir.B, which fortunately, is not able to activate automatically.

    If you have installed Skulls.B, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.

    Installation to system Like Skulls.A Skulls.B is a SIS file that installs critical System ROM binaries and Cabir.B worm into C: drive. The System ROM files are installed with exact same names and locations as in the ROM drive.

    Symbian operating system has a feature which causes any file that is in C: drive replace file in ROM drive with identical name and location.

    Unlike Skulls.A Skulls.B installs also other files than just Symbian ROM files, in the list of installed files there is Camtimer camera timer application from Nokia and Cabir.B worm binaries.

    Spreading in Icons.sis

    Payload Replaces built in applications with non-functional ones and installs Cabir.B worm.

  8. #8
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    NAME: Skulls.D
    ALIAS: SymbOS/Skulls.D
    Summary

    Skulls.D is a malicious SIS file trojan, that pretends to be Macromedia Flash player for Symbian Series 60 devices.



    Skulls.D drops SymbOS/Cabir.M worm into the phone, disables system applications and third party applications needed to disinfect it and displays animation that shows flashing skull picture.

    Unlike earlier Skulls versions the Skulls.D disables only few phone system applications. The only system applications that are disabled, are the ones that are needed in disinfecting it.

    The third party applications disabled by Skulls, are ones that user would need to disinfect his phone, if it got infected by skulls. However for some reason Skulls.D copies the replacement files to the device memory card, thus disabling the tools only if user has not installed them on the C: drive.

    Skulls.D tries to disable F-Secure Mobile Anti-Virus by replacing it's files with non-functional versions. However as F-Secure Mobile Anti-Virus is capable of detecting Cabir.M contained by Skulls using generic detection. The Anti-Virus will detect the infected SIS file and prevent it from being installed. Provided that the Anti-Virus is in realtime scan mode as it is by default.

    The Cabir.M worm dropped by Skulls.D is already detected with generic detection as Cabir.Gen. So the Skulls.D is already detected and stopped without need for updated Anti-Virus database.

    The Cabir.M dropped by Skulls.C does not activate automatically, but will activate on reboot.

    The Skulls.D does also drop other application that will activate on device reboot, this application displays animation of flashing Skull picture on background, no matter what application user is trying to use.



    If you have installed Skulls.D, the most important thing is not to reboot the phone.

    Installation to system Skulls.D is a SIS file that replaces system ROM binaries related to application uninstall and bluetooth control, drops Cabir.M and other applications into the system and disables third party file managers and tries to disable F-Secure Mobile Anti-Virus.

    Spreading in Flash_1[1].1_Full_DotSiS.sis

    Payload Replaces built in and third party applications with non-functional ones, installs Cabir.M worm and starts animation that shows flashing skull picture.

  9. #9
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    NAME: Cabir.H
    ALIAS: SymbOS/Cabir.H, EPOC/Cabir.H, Worm.Symbian.Cabir.H, Caribe virus

    Summary

    Cabir.H is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

    The Cabir.H variant is a recompiled version of the original Cabir, the main difference being that Cabir.H has fixed replication routine and is capable of spreading faster than earlier variants.



    Cabir.H replicates over bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm. When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over bluetooth.

    When Cabir worm finds another bluetooth device it will start sending infected SIS files to it, as long as the target phone is in range. Unlike earlier variants of Cabir, the Cabir.H is capable of finding a new target, after the first one has gone out of range. Thus the Cabir.H will most likely spread faster than previous variants, if ever found in the wild.

    Please note that Cabir worm can reach only mobile phones that support bluetooth, and are in discoverable mode.



    Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

    But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

    Replication

    Cabir.H replicates over bluetooth in velasco.sis file that contains the worm main executable velasco.app, system recognizer marcos.mdl and resource file velasco.rsc. The SIS file contains autostart settings that will automatically execute velasco.app after the SIS file is being installed.

    The velasco.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.

    When the Cabir.H worm is activated it will start looking for other bluetooth devices, and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range the Cabir.H will continue searching and infecting other phones.

    This modification in the replication mechanism, will make it more likely that Cabir.H will spread quickly once in the wild.

    Infection

    When the velasco.sis file is installed the installer will copy the worm executables into following locations:
    c:\system\apps\velasco\velasco.rsc
    c:\system\apps\velasco\velasco.app
    c:\system\apps\velasco\flo.mdl

    When the velasco.app is executed it copies the following files:
    flo.mdl to c:\system\recogs
    velasco.app to c:\system\symbiansecuredata\velasco\
    caribe.rsc to c:\system\symbiansecuredata\velasco\

    This is most likely done in case user installs the application to memory card, or to avoid user trying to disinfect the worm by uninstalling the original SIS file.

    Then the worm will recreate the velasco.sis file from worm component files and data blocks that are in velasco.app.

    After recreating the velasco.sis file the worm starts to look for all visible bluetooth devices and send the SIS file to them. ]

  10. #10
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    NAME: Cabir.E
    ALIAS: SymbOS/Cabir.E, EPOC/Cabir.E, Worm.Symbian.Cabir.E, [YUAN] virus

    Summary

    Cabir.E is a minor variant of Cabir.B the only significant differences are that the Cabir.E displays different text on the start dialog when worm starts and that the Cabir.E spreads as [YUAN].SIS instead of Cabir.SIS.



    Cabir.E displays text "[YUAN]" while Cabir.B displays text that contains just "Caribe".

    Cabir.E is minor hexedit variant of Cabir.B, with the exception of new filename and different text displayed in worm start. Cabir.E behaves identically Cabir.B
    -----------------------------------------------------------------------
    NAME: Cabir.D
    ALIAS: SymbOS/Cabir.D, EPOC/Cabir.D, Worm.Symbian.Cabir.D, MYTITI virus

    Summary

    Cabir.D is a minor variant of Cabir.B the only significant differences are that the Cabir.D displays different text on the start dialog when worm starts and that the Cabir.D spreads as MYTITI.SIS instead of Cabir.SIS.

    Cabir.D displays text "Mytiti" while Cabir.B displays text that contains just "Caribe".


    Cabir.D is minor hexedit variant of Cabir.B, with the exception of new filename and different text displayed in worm start. Cabir.D behaves identically Cabir.B

  11. #11
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    NAME: Lasco.A
    ALIAS: SymbOS/Lasco.A, EPOC/Lasco.A
    Summary

    Lasco.A is a bluetooth using worm and SIS file infecting virus that runs in Symbian mobile phones that support Series 60 platform.

    Lasco.A replicates over bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm. When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over bluetooth.



    When Lasco worm finds another bluetooth device it will start sending copies of velasco.sis file to it, as long as the target phone is in range. Like Cabir.H,Lasco.A is capable of finding a new target, after the first one has gone out of range.

    In addition of sending itself over bluetooth the Lasco.A is also capable of replicating by inserting itself into other SIS files found in the device. Then if such Lasco.A infected SIS files are copied into another device, Lasco.A install will start inside the first installation task, asking user whether to install Velasco.

    Please note that SIS files infected by Lasco.A will not be automatically sent to other devices. The only way to get infected by Lasco.A infected file other than the original Velasco.SIS is to manually copy and install it to another device.

    The Lasco.A is based on the same source as Cabir.H and is very similar to it. The main difference between Cabir.H and Lasco.A is the SIS file infection routine.

    Please note that Lasco worm can reach only mobile phones that support bluetooth, and are in discoverable mode.

    Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

    But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

    F-Secure Mobile Anti-Virus will detect the Lasco.A and delete the worm components. After deleting worm files you can delete this directory: c:\system\symbiansecuredata\velasco\

    Replication over bluetooth

    Lasco.A replicates over bluetooth in velasco.sis file that contains the worm main executable velasco.app, system recognizer marcos.mdl and resource file velasco.rsc. The SIS file contains autostart settings that will automatically execute velasco.app after the SIS file is being installed.

    The velasco.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.

    When the Lasco.A worm is activated it will start looking for other bluetooth devices, and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range the Lasco.A will continue searching and infecting other phones.

    This modification in the replication mechanism, will make it more likely that Lasco.A will spread quickly once in the wild.

    Replication by infecting SIS files

    Lasco.A replicates also by searching the infected device for all SIS installation files. And infecting them by adding the velasco.sis installation file as last file in the SIS archive.

    The Lasco.A will also modify the infected SIS file header so that the embedded velasco SIS installation will start automatically after the host SIS file is installed. But while the Lasco.A is installation is started automatically, the installation sequence will still be normal and use will be asked whether he wants to install Velasco, and user will get warning about missing signature in the SIS file.

    Infection

    When the velasco.sis file is installed the installer will copy the worm executables into following locations:
    c:\system\apps\velasco\velasco.rsc
    c:\system\apps\velasco\velasco.app
    c:\system\apps\velasco\flo.mdl

    When the velasco.app is executed it copies the following files:
    flo.mdl to c:\system\recogs
    velasco.app to c:\system\symbiansecuredata\velasco\
    velasco.rsc to c:\system\symbiansecuredata\velasco\


    This is most likely done in case user installs the application to memory card, or to avoid user trying to disinfect the worm by uninstalling the original SIS file.

    Then the worm will recreate the velasco.sis file from worm component files and data blocks that are in velasco.app.

    After recreating the SIS file the Lasco.A will search for all SIS files in the device, add itself into those files and modify the SIS file header so that the Lasco.A embedded into target SIS files will activate automatically upon install of that SIS file into the device.

  12. #12
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    NAME: Mquito
    ALIAS: SymbOS/Mquito, Trojan.Mquito, SymbOS/QDial26

    Summary

    Trojan.Mquito is ******* version of game that runs on Symbian Series 60 devices. The game contains functionality that will send SMS message to certain number each time when the game is started.

    The Trojan.Mquito is not a trojanized version of the game, the hidden SMS functionality was put in the game from the beginning by the original manufacturer.

    This functionality was supposed to be some kind of a copy-protecting technique, but it didn't work right and the whole functionality backfired.

    According to the manufacturer, the premium rate contract for the receiving phone numbers has been terminated, so although old versions of the game still send hidden SMS messages, it only costs the nominal fee of sending the message itself.

    Current versions of this game no longer have this hidden functionality, but "*******" versions of Mosquitos still float in P2P network - and they still send these messages.

    The SMS sending version of the game can still be identified by the message it shows when the game starts.


    The original version will display following text, which varies a bit depending on the region.

    UK VERSION This version is for the UK market only and does not work
    outside the United Kingdom. Pirate copies are illegal and offenders
    will be prosecuted.

    The trojan version will display following modified text:

    FREE VERSION This version has been ******* by SODDOM BIN LOADER
    No rights reserved. Pirate copies are illegal and offenders will
    have lotz of phun!!!

    The difference in message has been done by modifying strings inside the game binary. The difference in the messages is the only difference between ******* and original version that we have been able to determine.

    Needless to say that the 'trojan' version of the game can be found only from pirated sources. So installing such program is not recommended in the first place, as any copy that contains the SMS routine is an illegal copy.

    When the Mquito is run it will show the dialog containing message from *****er and send SMS message to premium rate number. After sending the message the game will start normally.

    The SMS sending routine is built into the binary by game developers, not inserted by *****ers

    The message is sent only when the game starts, and the sending routine will not be called before the Mquito is started second time.

  13. #13
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    Virus writers have created a mobile Trojan capable of rendering an infected Symbian Series 60 unusable. Fontal-A is a SIS file Trojan that installs a corrupted font file on the device, causing it to fail when the mobile phone is next rebooted.

    Fontal-A is a Trojan, incapable of spreading by itself or via Bluetooth. The small risk of infection applies only to people in the habit of installing warez mobile games files or the like onto their mobile phone.

    As well as installing a corrupted font file, Fontal-A also damages the application manager so that it cannot be uninstalled. No new applications can be installed until the phone is disinfected. If the user has attempted to reboot the phone the only way to disinfect it is to reformat a mobile device, according to preliminary advice by anti-virus firm F-Secure. It warns that reformatting the phone will cause all data on the mobile to be lost.

    Manual disinfection
    1. Install file manager on the phone
    2. Go to c:\System\apps\appmngr
    3. Delete appmngr.app
    4. Go to the application manager
    5. Uninstall the SIS file in which the Fontal.A was installed in


    Infection

    When the Fontal.A SIS file is installed the installer copies files into following locations:


    \system\apps\appmngr\appmngr.app
    \system\apps\kill sadam\kill sadam.app
    \system\apps\fonts\kill sadam font.gdr

    The appmngr.app is non-functional file that disables application manager, the kill sadam.app is hexedited utility that has been modified to show text reboot, and has no other significant function for the trojan.

  14. #14
    Registered User
    Join Date
    Jul 2007
    Location
    india
    Posts
    19

    Thumbs up Re: Mobile Virus Info and Solution

    hope this all will help to u for protect ur mobile from virus

  15. #15
    Super Contributor
    Join Date
    Mar 2003
    Location
    Finland
    Posts
    9,569

    Re: Mobile Virus Info and Solution

    Reading this and following the advise will also help: http://3lib.ukonline.co.uk/viruses.htm

Similar Threads

  1. caller phone number or ID or some info
    By shadow-2005 in forum Symbian
    Replies: 5
    Last Post: 2007-03-17, 16:04
  2. Which is the right solution?
    By jilko in forum Mobile Java General
    Replies: 1
    Last Post: 2006-04-05, 11:17
  3. Full map solution for Symbian and PocketPC
    By handlesoft in forum Symbian
    Replies: 0
    Last Post: 2006-01-30, 05:23
  4. SOLUTION :: SENDING FILES OVER BT on KEYPRESS
    By prasad_koli in forum Symbian Networking & Messaging (Closed)
    Replies: 0
    Last Post: 2006-01-08, 11:46

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×