Detailed AnalysisThis Symbian trojan destroys a large list of s60 applications. It may be installed
on the device from a .SIS file named Raghu.sis.
Upon execution, the program warns us we are about to install a non-secured
application; if we decide to continue, the trojan infects the system.
English translation: Non secured application. Install only if it comes
from a trusted source.
The infection scheme is basic but efficient: it overwrites original .app files
with its own dropped files. The installer .sis file itself is malicious, not
the dropped files - they only contain a few bytes. Destroyed application ranges
from sms-related to mp3 to photo etc., including apps from this list:
- \system\apps\WILDSKIN\WILDSKIN.App
- \system\apps\UVSMStyle\UVSMStyle.App
- \system\apps\UltraMP3\UltraMP3.App
- \system\apps\SystemExplorer\SystemExplorer.App
- \system\apps\sSaver\sSaver.App
- \system\apps\Sounder\Sounder.App
- \system\apps\SmsMachine\SmsMachine.App
- \system\apps\SmartMovie\SmartMovie.App
- \system\apps\SmartAnswer\SmartAnswer.App
- \system\apps\RingMaster\RingMaster.App
- \system\apps\realplayer\realplayer.App
- \system\apps\RallyProContest\RallyProContest.App
- \system\apps\PVPlayer\PVPlayer.App
- \system\apps\PhotoSMS\PhotoSMS.App
- \system\apps\PhotoSafe\PhotoSafe.App
- \system\apps\Photographer\Photographer.app
- \system\apps\PhotoEditor\PhotoEditor.app
- \system\apps\photoacute\photoacute.App
- \system\apps\Mp3Player\Mp3Player.App
- \system\apps\Mp3Go\Mp3Go.App
- \system\apps\mmp\mmp.App
- \system\apps\MIDIED\MIDIED.App
- \system\apps\logoMan\logoMan.app
- \system\apps\Launcher\Launcher.app
- \system\apps\KPCaMain\KPCaMain.App
- \system\apps\Jelly\Jelly.App
- \system\apps\irremote\irRemote.App
- \system\apps\HantroCP\HantroCP.App
- \system\apps\Hair\Hair.App
- \system\apps\FSCaller\FSCaller.App
- \system\apps\FExplorer\FExplorer.App
- \system\apps\FaceWarp\FaceWarp.App
- \system\apps\extendedrecorder\extendedrecorder.App
- \system\apps\ETIPlayer\ETIPlayer.App
- \system\apps\ETIMovieAlbum\ETIMovieAlbum.App
- \system\apps\ETICamcorder\ETICamcorder.App
- \system\apps\camerafx\CameraFX.App
- \system\apps\Camcoder\Camcoder.App
- \system\apps\CallManager\CallManager.App
- \system\apps\callcheater\callcheater.app
- \system\apps\BlueJackX\BlueJackX.App
- \system\apps\BlackList\BlackList.App
- \system\apps\AnswRec\AnswRec.App
Note that it will only destroys programms installed on the same drive. As a
test, we installed "FExplorer" and "Screenshot" on drive
e: but the trojan on drive c: and we are still able to access the two installed
apps on drive e, they have not been overwritten
The trojan install an application called Raghu but doesn't affect applications
installed on others drives.
It also drops these files on the system:
- \RAGHU_RINU\raghu
- \RAGHU.txt
- \Images\RAGHU.txt
- \Images\RAGHU CRACK.jpg
- \Images\Image(03).JPG
- \system\RAGHU.txt
- \Copy of RAGHU_RINU\sSaver.App
Text files contains greetings from the author and warn the user not to install
the trojan. The .jpg contains a photo of the author with sunglasses.
Finally, the Trojan creates these files on the c: drive:
- C:\system\apps\RINUMenu\RINUMenu_caption.rsc
- C:\system\apps\RINUMenu\RINUMenu.RSC
- C:\system\apps\RINUMenu\RINUMenu.APP
Miscellaneous
Raghu.txt contains:
| ----R
A G H U---- VIRUS BORN IN SURAT(GUJRAT/INDIA/ASIA). THE NAME OF THIS VIRUS
IS RAGHU.... U KNOW WHY....???????? BECAUSE I LIKE VASTAV MOVIE AND SANJU
BABA. U LIKE THIS VIRUS? SO MANY SOFTWARE CRACKS AND VIRUS AVAILABLE SOON....
RAGHU NAM HE RAGHU... |
| 
