SymbOS/BrokenLog.A!tr - Released Jul 12, 2010 - Last Updated Jul 13, 2010
|
Alias/esBrokenLog.A (NetQin) |
Detection Availability
|
Visible SymptomsImpossible to open the system's log report.
|
Detailed AnalysisSymbOS/BrokenLog.A!tr is a Trojan for mobile phones running Symbian OS 7 or 8.
It is usually named 'sex.3gp', so, end-users typically install it on their phones
thinking they will see a sexy video (see Figure 1). Instead a malicious application is installed with
malicious capabilities such as task hiding, silently sending SMS and connecting to Internet.
Figure 1. Installing a .3gp file is already a suspicious fact. Symbian installation packages
use the .sis extension.
However, due to a bug, this malware is unable to do its nefarious work and only
disables the system's log report as a side effect.
Technical Details
The malware installs the following files on the mobile phone:
- c:\system\apps\logser\logser.app: malware's main executable.
- c:\system\libs\etel3rdparty.dll: DLL to handle phone calls.
- c:\system\recogs\rec.txt
- c:\system\apps\logser\logser.mdl: automatically restarts the malware after phone reboot
- c:\system\data\aaint.dat
- c:\system\apps\logser\logser.aif
- c:\system\apps\logser\logser.rsc
The malware overwrites the system's c:\system\apps\logservice files with the malware's c:\system\apps\logser.
This disables the phone's log report menu.
The malware has the capability to:
- silently read and send SMS messages.
- retrieve the phone's model, IMEI and IMSI/
-
- hide tasks from the task list
- contact a remote URL: hxxp://control.uniterminal.com/mcc/index.cgi, and process the
corresponding response
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
