Alias/es

Detection Availability

Visible Symptoms

• Unexpected high bill due to SMS and MMS sending, and Internet connections.
• Receiving an MMS with title "Hello Skuller", or seeing such a MMS on the phone.

Detailed Analysis

Technical Details

• c:\system\20030C77\init.ini
• !:\system\data\20030C77\config\xinconfigue.ini
• !:\system\data\20030C77\config\xmlconfig.ini
• !:\sys\bin\Nokia_0x20030C77.exe: this is the main malicious executable. It is automatically launched when the malware is installed on the phone.

• c:\logs\test\smslog.txt
• c:\logs\fdsfsa\debug.log

• specifically search for all access points using China Mobile's cmwap service.
• sends MMS messages (using cmwap Access Point Name) whose title is 'Hello Skuller' with an attached file Sunset.jpg
• prepare and send WAP Push SMS messages. When preparing, the messages are stored in the phone's Draft box.
• retrieve the phone's IMEI, IMSI and network information
• list installed application on the phone. To do so, the malware uses the Symbian class Swi::RSisRegistrySession which is only available starting from Symbian OS v9.4. Consequently, the malware is unable to run on older phones.
• parsing mobile phone contacts

Recommended Action

FortiGate Systems


• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  
  FortiClient Systems
  
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.