This application requires Javascript for optimal performance.

SymbOS/Enoriv.A!tr.dial - Released Mar 24, 2010 - Last Updated Apr 12, 2010

Alias/es

Trojan-SMS.SymbOS.Enoriv.a (F-Secure, Kaspersky), Symbian.SMSSend.2 (DrWeb)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Abnormally high bill

Detailed Analysis

This malware silently sends 3 SMS messages to premium phone numbers. It runs on Symbian OS 7, 8 and 9.
It usually installs under the name of an application named 'File' with a snailish icon (see Figure 1).



Figure 1. Malware installed on a Symbian phone.



Technical Details


SymbOS/Enoriv.A!tr.dial consists in a stand-alone application written in m. Consequently, its Symbian SIS package contains the m runtime environment (menvironment.rsc, dialogs.rsc, file.app...) and a compiled m script (named file.mex for this malware) - which contains the malicious payload.
This malicious script performs the following tasks:
  1. wait for a while (sleep)
  2. send a first SMS message to short number 3649, with text 'opsex 3922'
  3. send a second SMS message to short number 7122
  4. send a third SMS message to short number 1171

The sending of those SMS messages is done silently, without the victim usually even knowing SMS are being sent. The SMS messages are not stored in the phone's Sent folder. Sending SMS messages to such short numbers is not free.

Recommended Action

Remove the malware (using the phone's Application Manager). Do not run the malware.

Reference: ID - 1677638