This application requires Javascript for optimal performance.

SymbOS/QQForwd.A!tr - Released Sep 04, 2007 - Last Updated Sep 12, 2007

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • A QQ number will flash on the screen.

    • Detailed Analysis

  • It is a Symbian virus, packed in SIS format.

  • Pretends to be a SIS pack of NetQin to deceive the user into installing it.

  • Drops the following files while installing:
    • d:\cc.exe: runs after being installed. This is detected as SymbOS/Comwar.C!worm.
    • d:\sq.exe: runs after being installed. This is used to send an SMS message to a specific number.
    • c:\system\apps\SmsForwarder\smsforwarder.cfg
    • c:\system\apps\SmsForwarder\smsfwdaemon.exe: forwards an SMS message to a number specified in the file smsforwarder.cfg.
    • e:\system\apps\SmsForwarder\smsforwarder.cfg
    • e:\system\apps\SmsForwarder\smsfwdaemon.exe
    • c:\system\data\zn1314.db
    • c:\system\Programs\programs\1.txt: displays a QQ number on the screen.
    • c:\system\Programs\programs\2.exe: deletes directories under !:\System\Install.
    • c:\system\Programs\wq.exe
    • e:\system\Programs\wq.exe1
    • c:\system\recogs\01.mdl
    • c:\system\recogs\c02.mdl
    • e:\system\recogs\ewq.mdl
    • c:\system\recogs\startsmsfwd.mdl
    • c:\system\recogs\wq.mdl
    All the other dropped malicious files are detected as SymbOS/QQForwd.A!tr.

  • Upon installing, the file sq.exe  sends an SMS message to the number 17001002  to get a new QQ account and initial password, or the initial password if a QQ account already exists. The reply for this message is then forwarded to a specific number. Once infected, other confidential information of the user may also be stolen by the malicious user.

    • Recommended Action

  • Delete all the malicious files using a file manager program or an AV software for mobile devices.

    • Reference: ID - 376959