This application requires Javascript for optimal performance.

SymbOS/Appdisabler.D!tr - Released Oct 14, 2005 - Last Updated Apr 28, 2006

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Previously and already installed applications no longer function after installing a Symbian installer file named "Raghu.sis"

Detailed Analysis

This is a minor variant of SymbOS/Appdisabler.D!tr.

This Symbian trojan destroys a large list of s60 applications. It may be installed on the device from a .SIS file named Raghu.sis.

Upon execution, the program warns us we are about to install a non-secured application; if we decide to continue, the trojan infects the system.



English translation: Non secured application. Install only if it comes from a trusted source.

The infection scheme is basic but efficient: it overwrites original .app files with its own dropped files. The installer .sis file itself is malicious, not the dropped files - they only contain a few bytes. Destroyed application ranges from sms-related to mp3 to photo etc.. - very similarly to Appdisabler.C.

Note that it will only destroys programms installed on the same drive. As a test, we installed "FExplorer" and "Screenshot" on drive e: but the trojan on drive c: and we are still able to access the two installed apps on drive e, they have not been overwritten



The trojan install an application called Raghu but doesn't affect applications installed on others drives.

It also drops these files on the system:

- \RAGHU.txt
- \Images\RAGHU.txt
- \Images\RAGHU CRACK.jpg
- \Images\Image(03).JPG
- \system\RAGHU.txt

Text files contains greetings from the author and warn the user not to install the trojan. The .jpg contains a photo of the author with sunglasses.

Finally, the Trojan creates these files on the c: drive:

- C:\system\apps\RINUMenu\RINUMenu_caption.rsc
- C:\system\apps\RINUMenu\RINUMenu.RSC
- C:\system\apps\RINUMenu\RINUMenu.APP

Miscellaneous
Raghu.txt contains:

----R A G H U---- VIRUS BORN IN SURAT(GUJRAT/INDIA/ASIA). THE NAME OF THIS VIRUS IS RAGHU.... U KNOW WHY....???????? BECAUSE I LIKE VASTAV MOVIE AND SANJU BABA. U LIKE THIS VIRUS? SO MANY SOFTWARE CRACKS AND VIRUS AVAILABLE SOON.... RAGHU NAM HE RAGHU...

 

Recommended Action



    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

    FortiClient systems:
  • Quarantine/Delete infected files detected

    Mobile Device:
  • Delete the newly created Trojan executable manually

  • Replace deleted files from backup

Reference: ID - 99267