This application requires Javascript for optimal performance.

SymbOS/CommDN.A!tr - Released Jul 19, 2010 - Last Updated Jul 26, 2010

Alias/es

CommDN.A (NetQin)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Abnormally high bill due to unexpected sending of SMS messages and connection to Internet
  • Two applications, CommDN and CommServer, are installed on the mobile phone

Detailed Analysis

SymbOS/CommDN.A!tr affects mobile phones running Symbian OS with version 9 or greater.
Its package name may typically be something like nokiasp8.sisx to have the end-user think it is a legitimate service pack or update for Nokia phones.
Instead, the malware silently downloads and installs another malware and silently sends SMS messages to phone numbers inside the People's Republic of China.



Technical Details


The malware installs the following files on the mobile phone:
  • c:\data\commdbtre.cfg: registration configuration information
  • c:\data\commdbtup.cfg: update configuration information
  • c:\sys\bin\CommDN.exe: main malicious executable.
The main malicious executable downloads a new malware from the malicious URL:
hxxp://dgo.4gmy.com/DGOManagerServer/file/TianXiangServer2.sisx

The downloaded file is temporarily kept on the mobile phone in c:\data\others\commdtserver.sisx.
Then, it installs this new malware without asking for user's consent. This malware is listed on the phone as 'CommServer' (see Figure 1).

Figure 1. The alleged Nokia Update is installed as 'CommDN'. It downloads another malware listed as 'CommServer'

The downloaded malware contains the following files:
  • c:\sys\bin\COMMDT2Server.exe: main part of the malware
  • c:\sys\bin\COMMDT2Start.exe: an executable that launches COMMDT2Server.exe
  • c:\private\2002BEA8\Update.xml: usually, a copy of c:\data\commdbtup.cfg
  • c:\sys\bin\TxXmlParser.dll: an XML parsing DLL
Once installation is complete, the temporary file c:\data\others\commdtserver.sisx is deleted.
CommDN.exe runs COMMDT2Start.exe, which is an executable of the downloaded malware. In turn, COMMDT2Start.exe starts COMMDT2Server.exe. This executable checks if a c:\data\commdbtup.cfg file exists. If so, it overwrites c:\private\2002BEA8\Update.xml with c:\data\commdbtup.cfg.
Then, it parses the Update XML file, searching for phone number listed in the "register" tag: 
<register>
	<to num = "15810939xxx"> more info </to>
	<to num = "13439512xxx"> more info </to>
	<to num = "13439513xxx"> more info </to>
	<to num = "13439512xxx"> more info </to>
	<to num = "13439512xxx"> more info </to>
</register>
All those phone numbers are located in China, in the area of Beijing.
For the malware, registering consists in retrieving the phone's IMEI and model and sending both information by SMS to one of these numbers (randomly selected). As the international prefix is not specified, the SMS message is only successfully delivered if the victim is located in China.
The SMS message is formatted with characters #: to separate fields: 
IMEI:#PHONE MODEL:#log...
The SMS messages are sent without user's knowledge, dumping the text into a low-level SMS socket. The messages are not listed on the phone's message outbox.

Upon successful registration, the COMMDT2Server retrieves the victim's IMSI. This information is stored in an other XML file, c:\data\commdbtre.cfg or c:\private\2002BEA8\register.xml.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1948419