| Description | Visible Symptoms
- Abnormally high bill due to unexpected sending of SMS messages and connection
to Internet
- Two applications, CommDN and CommServer, are installed on the mobile phone
Detailed AnalysisSymbOS/CommDN.A!tr affects mobile phones running Symbian OS with version 9
or greater.
Its package name may typically be something like nokiasp8.sisx to have the
end-user think it is a legitimate service pack or update for Nokia phones.
Instead, the malware silently downloads and installs another malware and silently sends
SMS messages to phone numbers inside the People's Republic of China.
Technical Details
The malware installs the following files on the mobile phone:
- c:\data\commdbtre.cfg: registration configuration information
- c:\data\commdbtup.cfg: update configuration information
- c:\sys\bin\CommDN.exe: main malicious executable.
The main malicious executable downloads a new malware from the malicious URL:
hxxp://dgo.4gmy.com/DGOManagerServer/file/TianXiangServer2.sisx
The downloaded file is temporarily kept on the mobile phone in c:\data\others\commdtserver.sisx.
Then, it installs this new malware without asking for user's consent. This malware
is listed on the phone as 'CommServer' (see Figure 1).
Figure 1. The alleged Nokia Update is installed as 'CommDN'. It downloads another malware listed as 'CommServer'
The downloaded malware contains the following files:
- c:\sys\bin\COMMDT2Server.exe: main part of the malware
- c:\sys\bin\COMMDT2Start.exe: an executable that launches COMMDT2Server.exe
- c:\private\2002BEA8\Update.xml: usually, a copy of c:\data\commdbtup.cfg
- c:\sys\bin\TxXmlParser.dll: an XML parsing DLL
Once installation is complete, the temporary file c:\data\others\commdtserver.sisx is deleted.
CommDN.exe runs COMMDT2Start.exe, which is an executable of the downloaded malware. In turn, COMMDT2Start.exe starts COMMDT2Server.exe. This executable checks if a c:\data\commdbtup.cfg file exists. If so, it overwrites c:\private\2002BEA8\Update.xml with c:\data\commdbtup.cfg.
Then, it parses the Update XML file, searching for phone number listed in the "register" tag:
<register>
<to num = "15810939xxx"> more info </to>
<to num = "13439512xxx"> more info </to>
<to num = "13439513xxx"> more info </to>
<to num = "13439512xxx"> more info </to>
<to num = "13439512xxx"> more info </to>
</register>
All those phone numbers are located in China, in the area of Beijing.
For the malware, registering consists in retrieving the phone's IMEI and model and sending both information by SMS to one of these numbers (randomly selected). As the international prefix is not specified, the SMS message is only successfully delivered if the victim is located in China.
The SMS message is formatted with characters #: to separate fields:
IMEI:#PHONE MODEL:#log...
The SMS messages are sent without user's knowledge, dumping the text into a low-level SMS socket. The messages are not listed on the phone's message outbox.
Upon successful registration, the COMMDT2Server retrieves the victim's IMSI. This information is stored in an other XML file, c:\data\commdbtre.cfg or c:\private\2002BEA8\register.xml.
|