SymbOS/Agent.C!tr

Visible Symptoms

• Already installed applications fail after installing a Symbian installable package due to the Trojan over-writing them with a 6 byte dummy file
  
  
• Creation of these files onto the device after installing a Symbian installable package -
  
  \images\image(03).jpg
  \images\raghu crack.jpg
  \images\raghu.txt
  

  \system\raghu.txt
  \system\apps\raghu.txt
  \system\apps\raghu\raghu.app
  
  \system\apps\raghumenu\raghumenu.app
  \system\apps\raghumenu\raghumenu.rsc
  \system\apps\raghumenu\raghumenu_caption.rsc
  
  \system\apps\rinumenu\rinumenu.app
  \system\apps\rinumenu\rinumenu.rsc
  \system\apps\rinumenu\rinumenu_caption.rsc

Detailed Analysis

This Trojan is basically an application overwriter for Symbian Series 60 devices (PDA devices, cell phones, etc). It's purpose is to make the compromised user's life miserable in the sense that a lot of already existing programs are replaced with a 6 byte dummy file, essentially disabling the application from running.

This Trojan may be found within a .SIS file, or Symbian installable package file. When the .SIS file extracts its contents, it writes files into folders that may already exist, including the following -

\system\apps\answrec\answrec.app
\system\apps\blacklist\blacklist.app
\system\apps\bluejackx\bluejackx.app
\system\apps\callcheater\callcheater.app
\system\apps\callmanager\callmanager.app
\system\apps\camcoder\camcoder.app
\system\apps\camerafx\camerafx.app
\system\apps\eticamcorder\eticamcorder.app
\system\apps\etimoviealbum\etimoviealbum.app
\system\apps\etiplayer\etiplayer.app
\system\apps\extendedrecorder\extendedrecorder.app
\system\apps\facewarp\facewarp.app
\system\apps\fexplorer\fexplorer.app
\system\apps\fscaller\fscaller.app
\system\apps\hair\hair.app
\system\apps\hantrocp\hantrocp.app
\system\apps\irremote\irremote.app
\system\apps\jelly\jelly.app
\system\apps\kpcamain\kpcamain.app
\system\apps\launcher\launcher.app
\system\apps\logoman\logoman.app
\system\apps\midied\midied.app
\system\apps\mmp\mmp.app
\system\apps\mp3go\mp3go.app
\system\apps\mp3player\mp3player.app
\system\apps\photoacute\photoacute.app
\system\apps\photoeditor\photoeditor.app
\system\apps\photographer\photographer.app
\system\apps\photosafe\photosafe.app
\system\apps\photosms\photosms.app
\system\apps\pvplayer\pvplayer.app
\system\apps\rallyprocontest\rallyprocontest.app
\system\apps\realplayer\realplayer.app
\system\apps\ringmaster\ringmaster.app
\system\apps\smartanswer\smartanswer.app
\system\apps\smartmovie\smartmovie.app
\system\apps\smsmachine\smsmachine.app
\system\apps\sounder\sounder.app
\system\apps\ssaver\ssaver.app
\system\apps\systemexplorer\systemexplorer.app
\system\apps\ultramp3\ultramp3.app
\system\apps\uvsmstyle\uvsmstyle.app
\system\apps\wildskin\wildskin.app

All .APP files replaced are 6 bytes in size, with the contents simply being "33".

The Trojan writes a text file as "raghu.txt", and the contents of that file are the following -

----R A G H U-C R A C K---- VIRUS BORN IN SURAT(GUJRAT/INDIA/ASIA). THE NAME OF THIS VIRUS IS RAGHU.... U KNOW WHY....???????? BECAUSE I LIKE VASTAV MOVIE AND SANJU BABA. U LIKE THIS VIRUS? SO MANY SOFTWARE CRACKS AND VIRUS AVAILABLE SOON.... RAGHU NAM HE RAGHU... (MUSAFIR) ATE HE VIRUS DEKE JATE HE (VASTAV) ME VO VIRUS (SADAK) KE KISI GALLE PE BETHNE WALE EK SANJU BABA KE FRIEND NE BANAYA HE JISKA (NAAM)......????(BHAI----NAAM TO HUM NAHI BATAENGE APNA..) I LOVE SURAT----NO ONE CITY HAS THE LOVEBIRD"S LIKE ME N OTHER SURTI"S........ FROM --- (-) RAGHU & RINU (-) PRODUCTS.... 1.RAGHU.SIS (VIRUS) 2.RAGHU_R.SIS (VIRUS) 3.RAGHU_C.SIS (VIRUS) 4.RAGHU_MP3 PLAYER.SIS (TWO IN ONE MP3 PLAYER)