This application requires Javascript for optimal performance.

SymbOS/HatiHati.A!worm - Released May 13, 2008 - Last Updated Jul 07, 2009

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Abnormally high phone bill.

  • Presence of any of the following files:

    • C:\greetsita0.txt
    • C:\system\apps\guardian\guardian.exe

Detailed Analysis



This malware originates from a legitimate application, whose flawed code literally transformed it into a virus:
  • Whenever a clean memory card is inserted in an infected device, it becomes infected.
  • Whenever an infected memory card is inserted in a clean device, the latter becomes infected.
As a consequence, the application hops from device to device via memory cards.

This would still be innocuous if the application's purpose wasn't to warn via SMS a user whose phone was stolen. Indeed, whenever the application detects a SIM card that differs from the originally predefined one, it starts to secretely emit "SIM changed" SMS messages to a predefined phone number.

The impact for infected users is a high phone bill due to a high volume of "SIM changed" SMS messages sent from the infected device.

Notes:
  • Like many malware pieces, this application arrives as an unsigned/uncertified SIS package, as can be seen on Figure 1.


    Figure 1: Shady applications are not signed.

  • Upon installation, a new item is created in the main menu, as shown in Figure 2.


    Figure 2: Infected device main menu.



Technical details
  • Upon installation, the following files are dropped:
    • C:\greetsita0.txt
    • C:\system\apps\guardian\guardian.aif
    • C:\system\apps\guardian\guardian.app
    • C:\system\apps\guardian\guardian.exe
    • C:\system\apps\guardian\guardian.r01
    • C:\system\apps\guardian\guardian.r02
    • C:\system\apps\guardian\guardian.r03
    • C:\system\apps\guardian\guardian.r04
    • C:\system\apps\guardian\guardian.r05
    • C:\system\apps\guardian\guardian_caption.r01
    • C:\system\apps\guardian\guardian_caption.r02
    • C:\system\apps\guardian\guardian_caption.r03
    • C:\system\apps\guardian\guardian_caption.r04
    • C:\system\apps\guardian\guardian_caption.r05
    • C:\system\apps\guardian\plugins\fakesms.dll
    • C:\system\apps\guardian\guardian.dat
    • C:\system\recogs\1020dc95.mdl

  • The same files are also dropped into E:\ as a backup.

  • To ensure that the malware is automatically started, the following file is created:
    • C:\system\recogs\1020dc95.mdl

    This shortcut executes the file C:\system\apps\guardian\guardian.exe every time the device starts.

  • A routine checks for the presence of the application files in C:\ and E:\. The missing files are created.

  • The code features routines capable of querying the IMEI, IMSI and the phone's Cell ID registration.

  • Figure 3 displays a screenshot of the application's interface.


    Figure 3: Main interface.

Recommended Action



    FortiGate systems:

  • Use the uninstall option of the application and delete the folder c:\system\apps\guardian.
  • Check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option.


    • FortiClient systems:

  • Install and run Fortinet's FortiCleanup tool.

Reference: ID - 473232