mobile phone viruses

Eminem · #1 (**permalink**) 06-04-2005, 07:51 PM

F-Secure is currently investigating a new trojan infecting Symbian Series 60 phones - Skulls. Unlike Cabir, this trojan is actually malicious. Symbian must have anticipated this, having recently signed for McAfee's virus protection.

This trojan [SymbOS/Skulls] has been distributed on Symbian shareware download sites as "Extended Theme Manager" by Tee-222. If you see it, don't install it on your phone. It will make you're phone useless and it will prevent it from booting up. Recovery could get tricky, especially if you don't have a third-party file manager software already installed on your phone. The most obvious symptom of the trojan is that the typical programs on the phone won't work any more, and that their icons get replaced with a a picture of a skull.

Eminem · #2 (**permalink**) 06-04-2005, 07:56 PM

Antivirus vendors first spotted the new virus, dubbed CommWarrior.A, today. When an infected attachment is opened, the virus places copies of itself on vulnerable mobile phones and uses the phone's address book to send copies of itself to the owner's contacts using MMS. Antivirus experts believe CommWarrior, which has been spreading slowly among cell phone users since January, is not a serious threat. However, the virus could herald a new age of malicious and fast-spreading cell phone threats, according to Mikko Hyppönen of F-Secure Corporation.

MMS is a popular text messaging technology that is closely related to SMS (Short Messaging System), but allows mobile phone users to send multimedia content, such as sound files or photos, between MMS-compliant mobile phones. The technology is popular, especially outside the United States, where phone users have widely adopted newer-generation cell phones that support multimedia features and MMS messaging, Hyppönen says.

"My kids use it all the time to send messages, or photos," says Hyppönen, who lives in Helsinki, Finland.

Don't Open the Attachment
CommWarrior uses MMS to spread copies of itself to phone numbers stored in the address book of phones it infects. Victims receive MMS messages with file attachments that contain the CommWarrior virus. The messages contain enticing messages such as "3DGame from me. it is FREE!" and "Nokia RingtoneManager for all models," F-Secure says.

When victims open the attached virus file, CommWarrior is installed on the phone and begins randomly sending MMS messages with copies of itself to numbers in the phone book. Complicating matters, CommWarrior can also spread between phones using Bluetooth wireless connections, says Victor Kouznetsov, senior vice president of mobile solutions for McAfee.

Those who do get infected with CommWarrior can easily shut the virus down by pressing and holding the menu button on their cell phone, then selecting the CommWarrior from the list of applications that appears and pressing the "C," or "Clear," button, Kouznetsov says. Once the virus is disabled, mobile phone owners can use file management tools on the phone to locate and remove the virus files. F-Secure and McAfee both posted bulletins listing the folders where the CommWarrior virus is installed on infected phones.

Early Reports
F-Secure first identified CommWarrior on Monday. However, a search of the Internet revealed newsgroup messages from Nokia customers who complained about CommWarrior infections as early as January.

"I need help. I have a very strange problem with my nokia 6600. It tries send MMS automatically to my contacts (Randomly) that I have in my phone book," reads one message, posted January 23, that goes on to verify a commwarrior.exe infection.

A copy of the virus posted on a Web page is dated January 1, and claims to work on the common Nokia Series 60 phones. That could include more than 10 million phones worldwide, but it's doubtful that CommWarrior, as currently written, could infect anywhere near that number, says Kouznetsov.

"It still relies on social engineering and user interaction to spread," he says. Even when users do click to open the CommWarrior attachment, a series of warning messages appears before the virus is actually installed, he says.

F-Secure is testing the sample of CommWarrior. However, the virus is difficult to test. Its ability to spread via wireless and MMS messages makes containment hard, Hyppönen says.

Mobile phone viruses are a recent development, but could be a major threat in years to come, as mobile devices become more powerful, according to Hyppönen and others.

Cabir, the first known mobile virus, spreads on phones running the Symbian operating system and that are equipped with Bluetooth wireless connections, including Series 60 phones from a number of manufacturers, such as Siemens AG, Nokia, and others. The virus first appeared last June as a "proof of concept" released by virus-writing group 29a.

Eminem · #3 (**permalink**) 06-04-2005, 08:04 PM

SymbOS.Cabir is a proof-of-concept worm that replicates on Series 60 phones.

This worm repeatedly sends itself to the first Bluetooth-enabled device that it can find, regardless of the type of device. For example, even a Bluetooth-enabled printer will be attacked if it is within range.

The worm spreads as a .SIS file, which is installed into the APPS directory. There is no payload, apart from the vastly shortened battery life caused by the constant scanning for Bluetooth-enabled devices.

Also Known As: EPOC.Cabir, Worm.Symbian.Cabir.a [Kaspersky], Cabir [F-Secure], EPOC/Cabir.A [Computer Associates], Symb/Cabir-A [Sophos], EPOC_CABIR.A [Trend], Symbian/Cabir [McAfee]

Type: Worm
Infection Length: 15104 (caribe.sis), 11944 (caribe.app), 11498 (flo.mdl), 44 (caribe.rsc)

Systems Affected: EPOC
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 2000, Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

SymbOS.Cabir is transmitted through Bluetooth as a .SIS file.

When the worm arrives at a target device the following may happen:

The device displays a message similar to the following, asking the user to accept a message from a particular device:

Receive message via Bluetooth from [device name]?

The user will be notified that they have received a new message.

The user will be prompted with a message similar to the following:

Application is untrusted and may have problems. Install only if you trust provider.

If the user chooses Yes, the user will be prompted to install the worm.

Install caribe?

If the user chooses Install, SymbOS.Cabir is installed and executed, displaying the message:

Caribe-VZ/29a
[img]

[/img]

The worm creates the following files on the phone:

\SYSTEM\APPS\CARIBE\CARIBE.APP
\SYSTEM\APPS\CARIBE\CARIBE.RSC
\SYSTEM\APPS\CARIBE\FLO.MDL
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\ CARIBE.APP
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\ CARIBE.RSC
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\ CARIBE.SIS
C:\SYSTEM\RECOGS\FLO.MDL
C:\SYSTEM\INSTALLS\CARIBE.SIS

The worm attempts to send itself to other Bluetooth-enabled device that it finds, regardless of the type of device.

The worm executes every time the device is turned on.

To remove SymbOS.Cabir:

Install a file manager program on the phone.
Enable the option to view the files in the system directory.
Search the drives, A through Y, for the \SYSTEM\APPS\CARIBE directory.
Delete the files CARIBE.APP, CARIBE.RSC, and FLO.MDL from the \CARIBE directory.
Go to the C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER directory.
Delete the files CARIBE.APP, CARIBE.RSC, and CARIBE.SIS.
Go to the C:\SYSTEM\RECOGS directory.
Delete the file, FLO.MDL.
Go to the C:\SYSTEM\INSTALLS directory.
Delete the file, CARIBE.SIS.

Note: You cannot delete the file CARIBE.RSC when the program is running.

If you cannot delete this file in steps 4 and 6, delete all the files that you can, restart the phone, and then delete the CARIBE.RSC file.

Eminem · #4 (**permalink**) 06-04-2005, 08:13 PM

Duts is a parasitic file infector virus. It is the first known virus for the PocketPC platform. Duts affects ARM-based devices only.

Duts is a 1520 bytes long program, hand written in assembly for the ARM processor. When an infected file is executed the virus asks for permission to infect:

When granted the permission, Duts attempts to infect all EXE files in the current directory. Duts only infects files that are bigger than 4096 bytes and have not been infected yet. As an infection marker the virus writes the string 'atar' to the Windows Version field of the EXE header.

The infection routine is fairly simple. The virus body is appended to the file and the last section is made readable and executable. The entry point of the file is set to the beginning of the virus code.

Duts contains two messages that are not displayed:

This is proof of concept code. Also, i wanted to make avers happy.
The situation when Pocket PC antiviruses detect only EICAR file had to end ...

Eminem · #5 (**permalink**) 06-04-2005, 08:17 PM

F-Secure has detected 2 new Symbian Viruses, named Locknut.B and Drever.A respectively. Both viruses are malicious and effect the phone by disabling them.

Locknut.B is a malicious SIS file trojan that pretends to be patch for Symbian Series 60 mobile phones. When installed Locknut.B drops a binary that will crash a critical System component, that will prevent any application from being launched in the phone. Thus effectively locking the phone.

Drever.A is a malicious SIS file trojan that disables the automatic startup from Simworks and Kaspersky Symbian Anti-Virus softwares. Currently it is still unverified whether either of these softwares have protection against such attacks.

It seems the world of mobile phones should start to brace itself for even more malicious viruses which may appear. The trend of new viruses seems to be inevitably growing.

Ashok · #6 (**permalink**) 06-05-2005, 02:42 AM

Great Job.. I am going to make this thread a Sticky.. Its a must read for all Nokia smartphone users.. Also, all queries, news, informations about Mobile viruses will be posted in this thread..

Voldemort · #7 (**permalink**) 08-14-2005, 12:11 PM

Bootton.A is a SIS file trojan that is sent over bluetooth by SymbOS/Onehop.A trojan.

In its structure Bootton.A is quite similar to Skulls family trojans. With the exception that instead of replacing system files with corrupted binaries,the Bootton.A uses application that causes device to reboot.

Thus if a device is infected with Bootton.A, pressing menu button or any system application button the device immediately reboots.

Bootton.A disables most of critical system functions and third party file managers, so that even if the device wouldn't immediately reboot it is still unusable before it is disinfected.

In addition of disabling applications on the phone, the Bootton.A also installs modified Cabir that SymbOS/Onehop.A uses to distribute Bootton.A. But this file does not get executed automatically, and even if started by user is unable to send anything as the file it is trying to send does not exist on the system.

Like Skulls.A the Bootton.A replaces the application icons with it's own icon, this time the icon is a heart icon with the text "I-Love-U"

If Bootton.A is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function.

To disinfect this virus, download this utility
ftp://ftp.f-secure.com/anti-virus/tools/f-skulls.zip