http://www.fortiguardcenter.com/ en Copyright 2009 Fortinet Inc. All Rights Reserved Fri, 10 Jul 2009 09:10:22 -0800 09-Jul SymbOS/Yxes.E!worm (Level 1) Visible Symptoms

The repeated attempts by the worm to send SMS messages may yield:
  • abnormally high bill
  • rapid battery power loss

Presence of the following files:
  • c:\sys\bin\AcsServer.exe
  • c:\sys\bin\Installer_0x20026CA6.exe
  • c:\private\101f875a\import\[20026CA5].rsc
]]> http://www.fortiguardcenter.com/ve?vn=SymbOS/Yxes.E!worm http://www.fortiguardcenter.com/ve?vn=SymbOS/Yxes.E!worm Thu, 09 Jul 2009 08:11:24 -0800 07-Jul SymbOS/HatiHati.A!worm (Level 1) Visible Symptoms

  • Abnormally high phone bill.

  • Presence of any of the following files:

    • C:\greetsita0.txt
    • C:\system\apps\guardian\guardian.exe

]]> http://www.fortiguardcenter.com/ve?vn=SymbOS/HatiHati.A!worm http://www.fortiguardcenter.com/ve?vn=SymbOS/HatiHati.A!worm Tue, 07 Jul 2009 11:43:29 -0800 07-Jul JS/FakeAVOnline.A!tr.dldr (Level 1) Visible Symptoms

  • Possible firewall alert that an executable is attempting to connect to the internet.

    • ]]>     http://www.fortiguardcenter.com/ve?vn=JS/FakeAVOnline.A!tr.dldr http://www.fortiguardcenter.com/ve?vn=JS/FakeAVOnline.A!tr.dldr Tue, 07 Jul 2009 11:43:03 -0800     07-Jul SymbOS/Cabir.E465!worm (Level 1) Visible Symptoms

  • Presence of the file c:\system\apps\leslie\leslie.app.

    ]]> http://www.fortiguardcenter.com/ve?vn=SymbOS/Cabir.E465!worm http://www.fortiguardcenter.com/ve?vn=SymbOS/Cabir.E465!worm Tue, 07 Jul 2009 11:05:19 -0800 06-Jul HackerTool/HelloCarbide (Level 1) Visible Symptoms

  • Protected directories (such as c:\sys) are accessible. This is the most reliable way to detect the malware.
  • In some cases (depending on malware and phone version), the phone may show an application named HelloCarbide (see Figure 1).
  • New applications cannot be started any longer



    • Figure 1. HelloCarbide application


    This hacking tool is often used along with the InstallServer tool, which disables Symbian's application signing verification, so that any application (signed or not) may be installed on the phone. ]]>     http://www.fortiguardcenter.com/ve?vn=HackerTool/HelloCarbide http://www.fortiguardcenter.com/ve?vn=HackerTool/HelloCarbide Mon, 06 Jul 2009 10:39:58 -0800     06-Jul Adware/Trymedia (Level 1) Visible Symptoms

  • The following folder is created:
    • %CommonDesktopDir%\Downloads
    ]]>     http://www.fortiguardcenter.com/ve?vn=Adware/Trymedia http://www.fortiguardcenter.com/ve?vn=Adware/Trymedia Mon, 06 Jul 2009 10:38:21 -0800     06-Jul Adware/OneStep (Level 1) Visible Symptoms

  • The following files and folders are created:
    • %WINDIR%\Temp\ONE{random_number}.tmp\upgrade.exe
    • %WINDIR%\Temp\{random_name}.tmp\Au_.exe
    • %PROGRAMFILES%\OneStep\OneStep_deleted0
    • %PROGRAMFILES%\OneStep\home.js
    • %PROGRAMFILES%\OneStep\onestep.dll
    • %PROGRAMFILES%\OneStep\onestep.exe
    • %PROGRAMFILES%\OneStep\OneStep_deleted_\onestep.dll
    • %PROGRAMFILES%\OneStep\OneStep_deleted_\onestep.exe
    • %PROGRAMFILES%\OneStep\osopt.exe
    • %PROGRAMFILES%\OneStep\readme.html
    • %PROGRAMFILES%\OneStep\uninstall.exe
    • C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\foo
    • C:\Documents and Settings\All Users\Documents\HBEPGUID.TXT
    • C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\foo\XPC.mfl
    • C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\chrome\onestep.jar
    • C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\chrome.manifest
    • C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\defaults\preferences\prefs.js
    • C:\INSTALLED\Mozilla Firefox\extensions\{C7E0B063-1DC2-4DD0-A502-1D67957B9ADE}\install.rdf
    • C:\INSTALLED\Mozilla Firefox\searchplugins\onestep.xml
    ]]>     http://www.fortiguardcenter.com/ve?vn=Adware/OneStep http://www.fortiguardcenter.com/ve?vn=Adware/OneStep Mon, 06 Jul 2009 10:38:13 -0800     06-Jul iPhoneOS/Trapsms.A!tr.spy (Level 1) Visible Symptoms

  • The spyware connects to the Internet. Depending on your phone's subscription, this may lead to abnormally high phone bills
  • An application named STD is installed in Cydia (typical third party installation tool for jailbroken iPhones)
    • ]]>     http://www.fortiguardcenter.com/ve?vn=iPhoneOS/Trapsms.A!tr.spy http://www.fortiguardcenter.com/ve?vn=iPhoneOS/Trapsms.A!tr.spy Mon, 06 Jul 2009 06:21:52 -0800     02-Jul W32/Zbot.GH!tr (Level 1) Visible Symptoms

  • The following folder is created:
    • %SYSTEM%\lowsec\
  • The following files are created:
    • %SYSTEM%\lowsec\local.ds
    • %SYSTEM%\lowsec\user.ds
    • %SYSTEM%\lowsec\user.ds.lll
    • %SYSTEM%\sdra64.exe
  • Possible termination of the firewall or other security applications, including antivirus monitors.
    • ]]>     http://www.fortiguardcenter.com/ve?vn=W32/Zbot.GH!tr http://www.fortiguardcenter.com/ve?vn=W32/Zbot.GH!tr Thu, 02 Jul 2009 10:54:16 -0800     02-Jul W32/Zbot.FG!tr (Level 1) Visible Symptoms

  • The following folder is created:
    • %SYSTEM%\lowsec\
  • The following files are created:
    • %SYSTEM%\lowsec\local.ds
    • %SYSTEM%\lowsec\user.ds
    • %SYSTEM%\lowsec\user.ds.lll
    • %SYSTEM%\sdra64.exe
  • Possible termination of the firewall or other security applications, including antivirus monitors.
    • ]]>     http://www.fortiguardcenter.com/ve?vn=W32/Zbot.FG!tr http://www.fortiguardcenter.com/ve?vn=W32/Zbot.FG!tr Thu, 02 Jul 2009 10:54:08 -0800     26-Jun SymbOS/Acallno.A!tr.spy (Level 1) Visible Symptoms

  • Abnormally high phone bill.

  • The following files exist:
    • !:\System\recogs\s60syss.mdl
    • !:\System\Apps\s60system.exe
    ]]>     http://www.fortiguardcenter.com/ve?vn=SymbOS/Acallno.A!tr.spy http://www.fortiguardcenter.com/ve?vn=SymbOS/Acallno.A!tr.spy Fri, 26 Jun 2009 14:04:07 -0800     26-Jun Java/GoSms.B!tr (Level 1) Visible Symptoms

  • Attempts to send SMS messages to a short number.
    • ]]>     http://www.fortiguardcenter.com/ve?vn=Java/GoSms.B!tr http://www.fortiguardcenter.com/ve?vn=Java/GoSms.B!tr Fri, 26 Jun 2009 14:03:46 -0800     26-Jun Java/GoSms.A!tr (Level 1) Visible Symptoms

  • An SMS message is sent to the short number 1171.
    • ]]>     http://www.fortiguardcenter.com/ve?vn=Java/GoSms.A!tr http://www.fortiguardcenter.com/ve?vn=Java/GoSms.A!tr Fri, 26 Jun 2009 14:03:31 -0800     26-Jun Java/Smarm.A!tr (Level 1) Visible Symptoms

  • Abnormally high phone bill
    • ]]>     http://www.fortiguardcenter.com/ve?vn=Java/Smarm.A!tr http://www.fortiguardcenter.com/ve?vn=Java/Smarm.A!tr Fri, 26 Jun 2009 14:03:14 -0800     26-Jun SymbOS/Acallno.B!tr.spy (Level 1) Visible Symptoms

    Since this Trojan Horse's purpose is to spy on the infected mobile device without its owner's knowledge, there are very few visible symptoms of the infection. The installation phase must either be performed on the targeted device by an attacker with physical access, or the attacker must trick the phone owner in doing so.

    In the latter case, the phone owner should be particularly watchful if any of the following conditions are true:

    • The SIS package does not contain a valid certificate. This is typical of malware, because they do not bear Symbian's signature
    • The sis package does not install any visible application icon (this is typical of spyware attempting to hide their presence on the phone)
    • The installer goes by the name Phantom v3.0 or demo
    • Abnormally high phone bill
    Finally, a reliable way to verify if a device is infected is to to check for the presence of the malware installed files with a file explorer application (see technical details below).

    ]]>     http://www.fortiguardcenter.com/ve?vn=SymbOS/Acallno.B!tr.spy http://www.fortiguardcenter.com/ve?vn=SymbOS/Acallno.B!tr.spy Fri, 26 Jun 2009 14:02:43 -0800     23-Jun W32/FakeAlert.EI!tr (Level 1) Visible Symptoms

  • The following file exists:
    • %SYSTEM%\sfcfiles.dat
    ]]>     http://www.fortiguardcenter.com/ve?vn=W32/FakeAlert.EI!tr http://www.fortiguardcenter.com/ve?vn=W32/FakeAlert.EI!tr Tue, 23 Jun 2009 10:08:47 -0800     19-Jun W32/Zbot.AA!tr (Level 1) Visible Symptoms

  • The following files exist:
    • %System%\lowsec
    • %System%\sdra64.exe
    • %System%\lowsec\local.ds
    • %System%\lowsec\user.ds
  • Possible termination of the firewall or other security applications, including antivirus monitors.
    • ]]>     http://www.fortiguardcenter.com/ve?vn=W32/Zbot.AA!tr http://www.fortiguardcenter.com/ve?vn=W32/Zbot.AA!tr Fri, 19 Jun 2009 10:48:25 -0800     18-Jun W32/Skimmer.A!tr.bdr (Level 1) Visible Symptoms

  • The following files exist in the %WINDOWS% folder:
    • trl2
    • kl
    ]]>     http://www.fortiguardcenter.com/ve?vn=W32/Skimmer.A!tr.bdr http://www.fortiguardcenter.com/ve?vn=W32/Skimmer.A!tr.bdr Thu, 18 Jun 2009 15:22:04 -0800     16-Jun HTML/Virut.CE (Level 1) Visible Symptoms

  • System is also infected with W32/Virut.CE. ]]> http://www.fortiguardcenter.com/ve?vn=HTML/Virut.CE http://www.fortiguardcenter.com/ve?vn=HTML/Virut.CE Tue, 16 Jun 2009 10:14:28 -0800 11-Jun JS/Redir.MR!tr (Level 1) Visible Symptoms

  • Redirect to malicious websites.
    • ]]>     http://www.fortiguardcenter.com/ve?vn=JS/Redir.MR!tr http://www.fortiguardcenter.com/ve?vn=JS/Redir.MR!tr Thu, 11 Jun 2009 10:37:45 -0800     11-Jun JS/Gumblar.A!tr.dldr (Level 1) Visible Symptoms

  • Redirect to malicious websites.
  • Malicious files may be downloaded. ]]> http://www.fortiguardcenter.com/ve?vn=JS/Gumblar.A!tr.dldr http://www.fortiguardcenter.com/ve?vn=JS/Gumblar.A!tr.dldr Thu, 11 Jun 2009 10:37:21 -0800 11-Jun W32/Dropper.CG!tr (Level 1) Visible Symptoms

  • Drops files to folders such as the root folder and Temporary folder. ]]> http://www.fortiguardcenter.com/ve?vn=W32/Dropper.CG!tr http://www.fortiguardcenter.com/ve?vn=W32/Dropper.CG!tr Thu, 11 Jun 2009 10:36:34 -0800 10-Jun VBS/Phel.I!exploit (Level 1) Visible Symptoms

    This threat attempts to use various tricks to exploit vulnerabilities in Windows-based systems that are unpatched against the implemented vulnerabilities. ]]>     http://www.fortiguardcenter.com/ve?vn=VBS/Phel.I!exploit http://www.fortiguardcenter.com/ve?vn=VBS/Phel.I!exploit Wed, 10 Jun 2009 12:33:03 -0800     10-Jun W32/DCERPC!exploit.MS08067 (Level 1) Visible Symptoms

    The related samples are POC files (Proof-Of-Concept). ]]>     http://www.fortiguardcenter.com/ve?vn=W32/DCERPC!exploit.MS08067 http://www.fortiguardcenter.com/ve?vn=W32/DCERPC!exploit.MS08067 Wed, 10 Jun 2009 12:32:54 -0800     10-Jun Misc/Freechal (Level 1) Visible Symptoms

  • The following folder exists:
    • %Program Files%\Smarton\
  • The following files exist:
    • %Program Files%\Smarton\st_rwd_1j.dll
    • %Program Files%\Smarton\st_src_1b.dll
    • %Program Files%\Smarton\stsv.dll
    ]]>     http://www.fortiguardcenter.com/ve?vn=Misc/Freechal http://www.fortiguardcenter.com/ve?vn=Misc/Freechal Wed, 10 Jun 2009 12:32:44 -0800     09-Jun SymbOS/Yxes.A!worm (Level 1) Visible Symptoms

  • The repeated attempts by the worm to send SMS messages or connect to the Internet may yield:
    • Abnormally high phone bills
    • Rapid battery power loss
  • Presence of the following files :
    • c:\sys\bin\EConServer.exe
    • c:\private\101f875a\import\[2001EB45].rsc
  • Impossible to launch the following applications:
    • AppMgr
    • TaskSpy
    • Y-Tasks
    • ActiveFile
    • TaskMan
    ]]>     http://www.fortiguardcenter.com/ve?vn=SymbOS/Yxes.A!worm http://www.fortiguardcenter.com/ve?vn=SymbOS/Yxes.A!worm Tue, 09 Jun 2009 17:57:03 -0800     09-Jun SymbOS/Yxes.C!worm (Level 1) Visible Symptoms

    • The repeated attempts by the worm to send SMS messages may yield:

      • Rapid battery power loss
      • Abnormally high phone bills

    • Presence of the following file:

      • C:\sys\bin\Transmitter.exe
    ]]>     http://www.fortiguardcenter.com/ve?vn=SymbOS/Yxes.C!worm http://www.fortiguardcenter.com/ve?vn=SymbOS/Yxes.C!worm Tue, 09 Jun 2009 17:56:30 -0800     09-Jun SymbOS/Yxes.D!worm (Level 1) Visible Symptoms

    • The repeated attempts by the worm to send SMS messages may yield:

      • Rapid battery power loss
      • Abnormally high phone bills

    • Presence of the following files:

      • c:\sys\bin\BootHelper.exe
      • c:\private\101f875a\import\[20017741].rsc
    ]]>     http://www.fortiguardcenter.com/ve?vn=SymbOS/Yxes.D!worm http://www.fortiguardcenter.com/ve?vn=SymbOS/Yxes.D!worm Tue, 09 Jun 2009 16:37:19 -0800     09-Jun W32/Conficker.B!worm (Level 1) Visible Symptoms

  • The following files exist:
    • %System%\{random lower case characters}.dll
    • %Program Files%\Internet Explorer\{random lower case characters}.dll
    • %Program Files%\Movie Maker\{random lower case characters}.dll
    • %Documents and Settings%\All Users\Application Data\{random lower case characters}.dll
    • %Temp%\{random lower case characters}.dll
    • %Temp%\{random}.tmp
  • Access to security-related websites is hindered
    • ]]>     http://www.fortiguardcenter.com/ve?vn=W32/Conficker.B!worm http://www.fortiguardcenter.com/ve?vn=W32/Conficker.B!worm Tue, 09 Jun 2009 16:37:10 -0800     09-Jun W32/Agent.KTBW!tr.dldr (Level 1) Visible Symptoms

  • The following file exists:
    • %Temp%/install-1557.exe
    ]]>     http://www.fortiguardcenter.com/ve?vn=W32/Agent.KTBW!tr.dldr http://www.fortiguardcenter.com/ve?vn=W32/Agent.KTBW!tr.dldr Tue, 09 Jun 2009 11:54:00 -0800