SymbOS/Multidr.DC!tr - Released Jul 06, 2010 - Last Updated Jul 13, 2010
|
Alias/esSymbOS/MultiDropper.DC (NetQin) |
Detection Availability
|
Visible SymptomsAbnormally high bill due to SMS sending and web traffic.
|
Detailed AnalysisSymbOS/Multidr.DC!tr poses as a message confidentiality application, but behind the scene, it sends unexpected SMS messages and connects to the Internet.
It installs without any problem on mobile phones running Symbian OS prior to version 9.0 (see Figure 1). For example, it runs on Nokia 6600, Nokia 7610 etc. It does not affect phones running Symbian OS 9.0 or greater.
Figure 1. Main menu of the malware
Note this malware targets Chinese end-users:
- the malware only supports the Chinese language
- it can be downloaded from Chinese forums, under a name close to 'incest.sis'.
- it sends unexpected SMS messages to a Chinese Service Provider. Those SMS messages won't be delivered if the victim is not located in China (the international prefix is missing). Victims worldwide may nonetheless experience abnormally high phone bills due to Internet connections caused by the malware.
Technical Details
The malware installs the following files:
- c:\system\apps\smsserver\smsserver.app: malicious application sending an SMS message to a Chinese Service Provider whose number is hard coded in the application: 106601142xxx. The text of the SMS is "G_" followed by the IMEI of the victim's phone. The SMS is sent by calling functions implemented in the SMS Engine DLL (smsengine.dll).
- c:\system\apps\smsserver\smsserver_caption.rsc
- c:\system\apps\smsserver\smsserver.rsc
- c:\system\apps\smsserver\smsserver.aif
- c:\system\recogs\smsrecog.mdl: automatically launches smsserver.app at phone boot
- c:\system\apps\incest\incest.app: main malicious entry point. This application starts the smsserver.app application.
- c:\system\apps\incest\incest.aif
- c:\system\apps\incest\incest_caption.rsc
- c:\system\apps\incest\incest.rsc
- c:\system\apps\incest\incest.mbm
- c:\system\libs\smsengine.dll: DLL to help send SMS messages.
- c:\system\apps\incest\incest.db: database used by the malware. It contains 4 tables: plc_t, box_t, msg_t, tsh_t.
The plc_t table contains a type column. The msg_t contains a link column. The various executables of the malware search within that database, using SQL commands, to retrieve information they need.
- c:\system\data\epoc_host.txt: this file contains the malicious domain name the malware contacts (this website does not respond any longer): hxxp://sasb.cn.
- c:\system\data\nrchiie.txt
- c:\system\data\sdrsdat.data: despite its data extension, this file is an EPOC executable. It handles HTTP communications with the remote malicious web server. In particular, it calls Java Server Pages of the remote web server, providing the phone's IMEI as parameter. If necessary, it sets the default User Agent of the phone to the one of a Nokia 6600 phone.
This executable calls vadxdat.data.
- c:\system\data\vadxdat.data: this file is an EPOC executable too. It contacts other pages of the malicous remote web server (action.jsp, delnotify.jsp, email.jsp).
- c:\system\data\payserv.sys: thie file is an EPOC executable. It handles updates of the malware, via HTTP. It sends the phone IMEI.
- c:\system\data\zodiac.ini
- c:\system\recogs\recogitm.mdl: automatically launches sdrsdat.data at phone boot
The malware may also create the following files:
- c:\system\data\dllist.ini
- c:\system\data\dlid.ini
- c:\system\data\lflag.ini
- c:\system\data\FeeDlgCfg.ini
- c:\system\data\visit.ini
- c:\CSMSMtmsEngine.txt
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
