Spy/MobileSpy!SymbOS - Released Aug 28, 2009 - Last Updated Sep 01, 2009
|
Alias/esSPR/MobileSpy, SPR/RetinaX.A, Spyware:WinCE/BopSmiley.A |
Detection Availability
|
Visible SymptomsPresence of the following files:
- system/programs/mswd.exe
- system/symbian/msagent.exe
|
Detailed AnalysisThis is the Symbian version of Spy/MobileSpy!iPhoneOS.
Technical Details
This malware has the same behaviour as Spy/MobileSpy!iPhoneOS. The only few differences are listed below.
On Symbian OS 7 and 8, the malware installs the following files:
- system/libs/tpengine_rxs.dll
- system/libs/tpfc_rxs.dll
- system/libs/tpnet_rxs.dll
- system/programs/mswd.exe: this is a console application, which handles the hidden window groups for the spyware.
- system/recogs/msstart.mdl: this MDL is in charge of restarting mswd.exe when the phone boots.
- system/symbian/msagent.exe: this is the main application. It calls the TPENGINE dlls.
- system/symbian/settingsui.app
- system/symbian/settingsui.rsc
The URLs sent to the remote webserver show slight differences. For example, logging geographic location uses this URL:
http://{REMOVED}gprslog.php?sID=...&date=...&time=...&up=...&down=...
On Symbian OS 9, the malware installsor creates the following files:
- C:\sys\bin\sbase.dll
- C:\resource\apps\SettingsUI.rSC
- C:\private\10003a3f\import\apps\SettingsUI_reg.rSC
- C:\private\101f875a\import\[2001D551].rsc
- C:\sys\bin\SettingsUI.exe
- C:\sys\bin\mswd.exe
- C:\Private\2001DF72\Settings.dat
- C:\Private\2001DF72\SMSs.dat
- C:\Private\2001DF72\Calls.dat
- C:\Private\2001DF72\GPSs.dat
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
