Visible SymptomsThe following files exist:
- c:\system\Apps\[random_name].exe : 80912 bytes (79k)
- c:\system\Apps\[random_name].sis : 60008 bytes (59k)
- c:\system\recogs\[random_name].mdl : 3296 bytes
- c:\system\Data\[random_name].exe : 80912 bytes (79k)
- c:\system\Data\[random name].dat : 8 bytes
- c:\system\Data\[random_name].ini : 0 bytes
Any of the following files exist:
- c:\system\Install\sex.mp3 : 60008 bytes (59k)
- c:\system\Install\love.rm : 60008 bytes (59k)
- c:\system\Install\beauty.jpg : 60008 bytes (59k)
Detailed Analysis
Its propagation vector is an MMS and Bluetooth.
The phone issues a warning dialog saying "Application is untrusted and may have problems. Install only if you trust provider".
Once the user opens the MMS, the phone demands the user's permission to install a file. The file has a random name.
The file details can be checked by selecting the "Options" menu option. The file details show that no certificate is available and that the supplier is unknown.
Once the application is installed,
the following files can be found on the file system:
- c:\system\Apps\[random_name].exe : 80912 bytes (79k)
- c:\system\Apps\[random_name].sis : 60008 bytes (59k)
- c:\system\recogs\[random_name].mdl : 3296 bytes
- c:\system\Data\[random_name].exe : 80912 bytes (79k)
- c:\system\Data\[random_name].dat : 8 bytes
- c:\system\Data[random_name].ini : 0 bytes
and any of the following files:
- c:\system\Install\sex.mp3 : 60008 bytes (59k)
- c:\system\Install\love.rm : 60008 bytes (59k)
- c:\system\Install\beauty.jpg : 60008 bytes (59k)
The virus process can be seen in the process list:
It sends itself as an MMS to phone numbers of the same operator as well as to the phone numbers of the contacts on the infected phone.
The message details can be seen by selecting the appropriate menu option:
It searches for Bluetooth-enabled devices and attempts to send a copy of the SIS file to all devices that it finds. The file name is one of the following:
- beauty.jpg
- love.rm
- sex.mp3
|