This application requires Javascript for optimal performance.

SymbOS/InSpirit.A!tr - Released Dec 21, 2010 - Last Updated Dec 22, 2010

Alias/es

InSpirit.A (NetQin)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • SMS received from 95555 with a message in Chinese and a link to website http://cmb[REMOVED]

Detailed Analysis


SymbOS/InSpirit.A!tr is a Trojan Horse for mobile phones running Symbian OS 9.1 and higher.
The malware is usually bundled with a legitimate SMS/call management tool, but it includes a malicious phishing attempt.
The malicious package causes an SMS to be displayed on the user's phone in Chinese. The message is drafted so as to appear from the 'China Merchants Bank' informing the user that his/her password was entered wrong five times.
It asks the user to login at the above URL to avoid damage to funds.



Technical Details


The core of the malware is contained in a malicious sub-package. The executable named InboxSpirit.exe. This executable is automatically restarted after the phone reboots. It is dropped in the c:\sys\bin directory.
Note the package contains other executables which are not malicious (e.g ClientLauncher_0xEE4943BE.exe installs the inner benign package).

At first, InboxSpirit.exe creates a global semaphore, named InboxSpiritSemaphore_0x2002BA2A, to ensure it is not run twice.
Then, it looks for a configuration file named C:\system\data\Remote_Para.txt and copies it into a private directory: C:\private\2002BA2A\Remote_Para.txt. This configuration file contains:
  • a magic number (0xef 0xbb 0xbf) to check its format is correct
  • a SMS short code number
  • an SMS text (usually written in Chinese)

The SMS text is meant to fool the victim into visiting a phishing web site and get his/her logging credentials for Chinese banks (see screenshot below).


The translated text is pasted below: 
Dear customer, China Merchants Bank to remind you: 
Today, your account password wrong 5 times in order 
to avoid damage to your funds, dashing account login 
http://cmb[REMOVED].com for protection.
The SMS apparently comes from the short code 95555 which is China Merchants Bank Nationwide Universal Customer Service Hotline. Of course, it is advised not to follow the link and not provide any login credentials.

Finally, note the malicious sub-package has been signed using Symbian's Express Signed program. 
Serial Number:
  b0:ad:00:01:00:23:0b:b6:0a:f7:51:40:37:87
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, O=Symbian Limited, CN=Symbian CA I
Validity
  Not Before: Nov 30 14:50:48 2009 GMT
  Not After : Dec  1 14:50:48 2019 GMT
  Subject: C=CN, ST=Fujian, L=XiaMen, 
  O=Xiamen Jindoucheng Tech Co. Ltd., 
  OU=InboxSpirit  1.5.0, OU=Symbian Signed ContentID, 
  CN=Xiamen Jindoucheng Tech Co. Ltd.
This certificate has already been revoked by Symbian 
Serial Number: B0AD000100230BB60AF751403787
Revocation Date: Mar  2 12:32:21 2010 GMT

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 2345461