| Alias/es | Trojan-SMS.Python.Flocker.a |
| Release Date | Apr 10, 2008 |
| Detection Availability | Current Antivirus Definition Database Version: 12.202 | | Description | Visible SymptomsAbnormaly high phone bill.
The following message may be repeatedly displayed: (See Figure 1)
Message sending failed
The following files are created:
- !:\system\apps\Icq_reggerNEW\Icq_reggerNEW.app
- !:\system\apps\Icq_reggerNEW\default.py
- !:\system\apps\Icq_reggerNEW\Icq_reggerNEW.rsc
- !:\system\libs\keypress.pyd
- !:\system\libs\inbox.pyd
- !:\system\libs\appswitch.pyd
 Figure 1: the malware is not silent when failing to operate properlyDetailed Analysis
This Trojan Horse poses as an "Icq_Python" install file, in order to trick the targeted user into installing it. After the installation phase, it can be found in the menu like any legitimate application, as can be seen on Figure 2 below:
 Figure 2: Malware's icon in the Symbian menu
Running the program from the menu triggers the following actions:
- The malware continuously sends SMS messages to a hardcoded, premium phone number (See Figure 3 and 4)
- It deletes SMS messages fom the Inbox whenever the sender is the aforementioned number, probably in an attempt to mask the premium service reply to the infected user.
Figure 3: Outbox
|
Figure 4: SMS details
|
|
|
Technical details
|
This piece of malware comes in the form a SIS archive embeding a python script file, and as such, can effectively run solely on phones that support Python.
The code used to send SMS messages features the following instructions:
e32.ao_sleep(01)#
...
e32.ao_sleep(rnd.uniform(000,001))#
In order to pause for a mere second between two premium SMS messages.
The actual instruction to send the messages is:
try:messaging.sms_send('3649',u'FILES 545')
Making the messages body empty.
|
Description Last Updated Date: Feb 06, 2009
Reference: ID - 451970
|