SymbOS/Appdisabler.H!tr - Released Nov 09, 2005 - Last Updated Apr 27, 2006
|
Alias/esSymbOS.Trojan.Hidemenu.A [ClamAV], SymbOS/Appdisabler.H!dr, SymbOS/Skulls.gen [McAfee] |
Detection Availability
|
Visible Symptoms |
Detailed AnalysisThis Trojan is basically an application overwriter for Symbian Series 60 devices
(PDA devices, cell phones, etc). It's purpose is to make the compromised user's
life miserable in the sense that a lot of already existing programs are replaced
with a 6 byte dummy file, essentially disabling the application from running.
This Trojan may be found within a .SIS file, or Symbian installable package
file. When the .SIS file extracts its contents, it writes files into folders
that may already exist, including the following -
\system\apps\answrec\answrec.app
\system\apps\blacklist\blacklist.app
\system\apps\bluejackx\bluejackx.app
\system\apps\callcheater\callcheater.app
\system\apps\callmanager\callmanager.app
\system\apps\camcoder\camcoder.app
\system\apps\camerafx\camerafx.app
\system\apps\eticamcorder\eticamcorder.app
\system\apps\etimoviealbum\etimoviealbum.app
\system\apps\etiplayer\etiplayer.app
\system\apps\extendedrecorder\extendedrecorder.app
\system\apps\facewarp\facewarp.app
\system\apps\fexplorer\fexplorer.app
\system\apps\fscaller\fscaller.app
\system\apps\hair\hair.app
\system\apps\hantrocp\hantrocp.app
\system\apps\irremote\irremote.app
\system\apps\jelly\jelly.app
\system\apps\kpcamain\kpcamain.app
\system\apps\launcher\launcher.app
\system\apps\logoman\logoman.app
\system\apps\midied\midied.app
\system\apps\mmp\mmp.app
\system\apps\mp3go\mp3go.app
\system\apps\mp3player\mp3player.app
\system\apps\photoacute\photoacute.app
\system\apps\photoeditor\photoeditor.app
\system\apps\photographer\photographer.app
\system\apps\photosafe\photosafe.app
\system\apps\photosms\photosms.app
\system\apps\pvplayer\pvplayer.app
\system\apps\rallyprocontest\rallyprocontest.app
\system\apps\realplayer\realplayer.app
\system\apps\ringmaster\ringmaster.app
\system\apps\smartanswer\smartanswer.app
\system\apps\smartmovie\smartmovie.app
\system\apps\smsmachine\smsmachine.app
\system\apps\sounder\sounder.app
\system\apps\ssaver\ssaver.app
\system\apps\systemexplorer\systemexplorer.app
\system\apps\ultramp3\ultramp3.app
\system\apps\uvsmstyle\uvsmstyle.app
\system\apps\wildskin\wildskin.app
All .APP files replaced are 6 bytes in size, with the contents simply being
"33".
The Trojan writes a text file as "raghu.txt", and the contents of
that file are the following -
|
----R A G H U-C R A C K----
VIRUS BORN IN SURAT(GUJRAT/INDIA/ASIA).
THE NAME OF THIS VIRUS
IS RAGHU....
U KNOW WHY....????????
BECAUSE I LIKE VASTAV
MOVIE AND SANJU BABA.
U LIKE THIS VIRUS?
SO MANY SOFTWARE CRACKS AND VIRUS AVAILABLE SOON....
RAGHU NAM HE RAGHU...
(MUSAFIR) ATE HE VIRUS
DEKE JATE HE (VASTAV) ME VO VIRUS (SADAK) KE KISI GALLE PE BETHNE
WALE EK SANJU BABA KE FRIEND NE BANAYA HE JISKA (NAAM)......????(BHAI----NAAM
TO HUM NAHI BATAENGE APNA..)
I LOVE SURAT----NO
ONE CITY HAS THE LOVEBIRD"S LIKE ME N OTHER SURTI"S........
FROM --- (-) RAGHU
& RINU (-)
PRODUCTS....
1.RAGHU.SIS (VIRUS)
2.RAGHU_R.SIS (VIRUS)
3.RAGHU_C.SIS (VIRUS)
4.RAGHU_MP3 PLAYER.SIS (TWO IN ONE MP3 PLAYER)
|
|
Recommended Action
FortiGate systems:
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
FortiClient systems:
- Quarantine/Delete infected files detected
Mobile Device:
- Delete the newly created Trojan files
- Replace over-written and non-functional files from
backup
|
