Virus info

--------------------------------------------------------------------------------

Mosquitos ******* By Soddom.sis
Mosquitos ******* By Soddom v2.0.sis
Camtimer.sis
Crazy!.sis
[YUAN).sis
22207-.sis
Guan4u.sis
Fuynuan.sis
ILoveU.sis
Mytti.sis
Ni&Ai.sis
-Sexy-.sis
Mobile.sis
Norton Antivirus 2004 Professional.sis
Extended Theme Manger.sis
Icons.sis
Caride2005.sis
F-cabir.sis(It`s maybe a virus renamed)


And here some Java virus:
Java.BeanHive
Java.BackOrifice
Java.MinThread
Java.NoCheat
Java.StartPage
JavaApp.Strange Brew

DO NOT INSTALL ANY APP OF THIS NAME LISTED B'COZ ALL OF THIS A VIRUSES!!!!!!!!!

Symbian anti-virus specialist SimWorks announced today that it has identified 52 previously unknown trojans for the Symbian platform, more than all of the trojans and other malware for Symbian based devices combined identified to date. The trojans appear to be ******* versions of popular Symbian applications such as BitStorm, BugMe!, Cosmic Fighter, 3D Motoracer and SplashID. In addition to the installation files for the application itself, the files also include various versions of previously known malware such as Cabir and Locknut. SimWorks CEO Aaron Davidson says “This is a significant development as until now we've usually found mobile trojans two or three at a time at the most. It would be easy for a malware writer to create 1 trojan and give it 52 different names however this is not the case here where we have 52 separately ******* and infected applications. Somebody has gone to an awful lot of time and effort to turn these out”.
“Previous mobile viruses have either been able to spread but cause no harm or alternatively have been able cause significant harm but not able to spread.


It may be that producing large numbers of harmful trojans such as those we discovered today is a reaction by the writers to their inability to produce destructive viruses that can effectively
spread. Obviously by producing large numbers of these things you greatly improve the odds of someone actually downloading and installing them”. SimWorks has yet to receive any reports of the 52 trojans identified today in the wild. “Until reports are received of these trojans in the wild there is little risk to end users” says Davidson. “From all appearances however these are ready to release now and putting all 52 onto a single site would make downloading from it like playing Russian roulette with your phone. Every other file could contain something that could cause your phone to be corrupted requiring a factory reset or worse and the loss of all your contacts and other data”.

All of the trojans identified are targeted at Series 60 phones using Symbian OS v6.1 or newer such as the Nokia 3650, 6600 and 6630. None of the trojans affect UIQ based Symbian phones such as the popular SonyEricsson P900/910 and Motorola A925/1000. SimWorks advises that the mobile phone users take the usual precautions, including never accepting files from people they do not know and never downloading applications from unknown sources and ***** sites. [A complete list of the infected files identified is attached at the end of this press release]. About SimWorks SimWorks is a Symbian anti-virus specialist and a leading developer of innovative mobile applications for the Symbian platform. SimWorks' product portfolio presently comprises SimWorks Anti-Virus and its Subscriber Data Management System (a phone synchronisation and social networking application). SimWorks Anti-Virus is presently one of the best recognised anti-virus applications for
Symbian UIQ and Series 60 based mobile phones. SimWorks was the first vendor to release an anti-virus product for UIQ phones and remains one of the few vendors to support both the UIQ and Series 60 platform.


Uiq Simworks Anti-Virus
Series 60 Simworks Anti-Virus

Further information on SimWorks Anti-Virus, phone backup, social networking and directory service applications is available at [Only Registered and Activated Users Can See Links. Click Here To Register...].
For further information contact:
Aaron Davidson
Chief Executive Officer
SimWorks International
Tel: +649 296 6290 or +64 21 557 600

Web: [Only Registered and Activated Users Can See Links. Click Here To Register...]

Details of infected files identified:
2005-04-18 22:51 92412 91040 3D_miniGolf[1].1.01*****.sis
2005-04-18 22:59 123211 120656 6630-SnapShot2[1].03.sis
2005-04-18 22:58 65020 63584 6630-VideoEditor210.sis
2005-04-18 22:44 82563 81040 Auto Pilot3[1].01full.sis
2005-04-18 22:56 92382 89392 Big-2 by__dotSiS.sis
2005-04-18 22:57 78955 77840 BitStorm_full1[1].0-XiMpda.sis
2005-04-18 22:57 82055 78784 Blocks_Full*****.sis
2005-04-18 22:46 211381 210592 bluster III Full.sis
2005-04-18 22:43 197290 193712 BounceMP3_[1]NEW.sis
2005-04-18 22:58 69904 68224 BugMe1[1].23_Full_Dotsis.sis
2005-04-18 22:57 92313 91280 callcheater3[1].01-XiMpda.sis
2005-04-18 22:56 79253 77616 Chinese Star1[1].01*****.sis
2005-04-18 22:45 192439 190256 ControlFreak2[1].0_Full.sis
2005-04-18 22:53 107010 106192 CosmicFighter3[1].0.sis
2005-04-18 22:56 92456 87328 CosmicFighter_*****.sis
2005-04-18 22:52 107524 106640 Digital Red Bowling.sis
2005-04-18 22:47 186005 179984 DVD-to-NOKIA-6670.sis
2005-04-18 22:50 80973 80032 DVDPlayer2[1].01_Full*****.sis
2005-04-18 22:56 90520 85872 FaceWave5[1].0_dotSiS.sis
2005-04-18 22:57 70084 69296 FlashLite[1].v1.1full*****.sis
2005-04-18 22:51 82469 80912 FreeCall_1[1].01-XiMpda.sis
2005-04-18 22:50 82352 80016 Fscaller5[1].01_Full_dotSiS.sis
2005-04-18 22:44 70868 69136 Funny Drawer2[1].00_Full.sis
2005-04-18 22:57 72303 70864 gina-v1[1].1full*****.sis
2005-04-18 22:55 82590 81488 HeliAttac101_Full_dotSiS.sis
2005-04-18 22:56 69410 68976 ImagePlus2[1].15_Full.sis
2005-04-18 22:55 253882 250960 Mahjong2[1].34.sis
2005-04-18 22:56 108969 105440 Mahjong301_Full_QmzXiz.sis
2005-04-18 22:49 77807 77088 matefinder_1[1].01-XiMpda.sis
2005-04-18 22:46 75691 74704 MessageStorer_*****.sis
2005-04-18 22:55 83206 79104 MotoRacer_Full.sis
2005-04-18 22:42 241210 240672 Mumsms4[1].01_XimPDA.sis
2005-04-18 22:46 75007 73552 pocketdictionary_V1.sis
2005-04-18 22:54 83551 80912 PowerGprs_3[1].01-dotSis.sis
2005-04-18 22:47 72056 68928 Quicksheet_*******_S60.sis
2005-04-18 22:53 253912 252160 RubiksCube1[1].19*****.sis
2005-04-18 22:42 185078 184608 Smart Movie263 S60[6630].sis
2005-04-18 22:47 69654 68832 SmartLauncher2[1].06s70.sis
2005-04-18 22:47 69654 68832 SmartLauncher2[2].06s70.sis
2005-04-18 22:54 89926 86976 Snowboard_Full*****.sis
2005-04-18 22:44 254405 253664 Sony_Camcoder Pro_S60.sis
2005-04-18 22:48 72010 71376 SplashID_4[1].13_S60.sis
2005-04-18 22:48 69406 68752 Super Anti Virus 1[1].0 .sis
2005-04-18 22:50 82176 80752 SuperMario3_Full*****.sis
2005-04-18 22:50 79329 78528 SuperMovie1[1].0_dotSiS.sis
2005-04-18 22:49 82795 81872 SuperMP31[1].0_dotSiS.sis
2005-04-18 22:49 86599 84912 supperNes_1[1].0_Beta_dotSiS.sis
2005-04-18 22:54 80253 79264 vBoy[1].v2.0.S60.oWnPDA.sis
2005-04-18 22:49 85969 84832 VNes[1].v2.0-XiMpda.sis
2005-04-18 22:49 97528 96960 XCaller_Full*****.sis
2005-04-18 22:44 76269 74128 Yellow_YFtpC_2[1].33_SymTEE.sis
2005-04-18 22:48 92329 89952 ZipMan_full2[1].0-XiMpda.sis
#
# Total Size Packed Files
# 5552413 5458512 52

NAME: Locknut.A
ALIAS: SymbOS/Locknut.A,Gavno.A, Gavno.B

Summary

Locknut.A is a malicous SIS file trojan that prentends to be patch for Symbian Series 60 mobile phones.



When installed Locknut.A drops binaries that will crash a critical System component, that will prevent any application from being launched in the phone. Thus effectively locking the phone.



There are also claims that Locknut would disable calling functionality, so that user couldn't make calls with infected phone. But we could not reproduce this effect with any phones we have.

Also Locknut.A will only work with devices that have Symbian OS 7.0S or newer, devices that use Symbian OS 6.0 or 6.1 are unaffected.

Some AV companies call this trojan Gavno, but since this word means rather vulgar term in Russian. AV community has decided to rename it as Locknut.

There are also versions of Locknut that include Cabir.B in same SIS file, that some companies call Gavno.B. But since the actual trojan functionality is totally identical to Locknut.A we call both samples Locknut.A

The Cabir.B included in the Locknut.A samples is harmless as the Locknut kills all applications on the infected phone, including Cabir.B that is installed from the same SIS file.

Even if Locknut.B is disinfected the Cabir.B still wont start, as it is installed into wrong directory in the infected phone.

If user starts Cabir.B manually, after disinfecting locknut, the Cabir.B will spread as pure Cabir.B and will not transfer Locknut.A into other devices.

Installation to system Locknut.A is a SIS file that crashes critical system ROM binary with non-functional stub file. When Locknut.A sis file is installed the files will be installed into following locations:
c:\system\apps\gavno\gavno.app
c:\system\apps\gavno\gavno.rsc
c:\system\apps\gavno\gavno_caption.rsc

The Locknut.SIS will will also contain copy of itself that is copied into C:\ directory

Spreading in patch_v1.sis and patch_v2.sis

Payload Both versions of Locknut.A replace a critical system binary and the patch_v2.sis will also drop Cabir.B, which will not be able to start on the phone.

NAME: Skulls.A
ALIAS: SymbOS/Skulls, Skulls trojan, extended theme trojan

Summary

Skulls is a malicious SIS file trojan that will replace the system applications with non-functional versions, so that all but the phone functionality will be disabled.

The Skulls SIS file is named "Extended theme.SIS", it claims to be theme manager for Nokia 7610 smart phone, written by "Tee-222".

If Skulls is installed it will cause all application icons to be replaced with picture of skull and cross bones, and the icons don't refer to the actual applications any more so none of the Phone System applications will be able to start.



This basically means that if Skulls is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function.

If you have installed Skulls, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.

Installation to system Skulls SIS file does not contain any malicious code as such, it is just a Symbian Installation file that installs critical System ROM binaries into C: drive in with exact same names and locations as in the ROM drive.

Symbian operating system has a feature which causes any file that is in C: drive replace file in ROM drive with identical name and location.

The application files installed by Skulls are normal Symbian OS files extracted from the phone ROM. The malicious part is in the AIF (Application Info and icon) file which comes with the applications. Instead of correct AIF file the Skulls SIS will install AIF file that has Skulls and crossbones as icon and instead of real application it will point to nowhere.

Spreading in Extended theme.sis

Payload Replaces built in applications with non-functional ones

NAME: Skulls.B
ALIAS: SymbOS/Skulls.B

Summary

Skulls.B is a variant of SymbOS/Skulls.A trojan, which has similar functionality to the Skulls.A but uses different files.

Skulls.B is a malicious SIS file trojan that will replace the system applications with non-functional versions and drops SymbOS/Cabir.B worm in to the phone.

The Cabir dropped by Skulls.B does not activate automatically, but if user goes to the cabir icon in the phone menu and runs Cabir from there. The Cabir.B will activate and try to infect other phones.

The Original Skulls.B SIS file is named "Icons.SIS". Unlike Skulls.A, the Skulls.B variant does not show any pop-up messages during install (except the "Installation security warning - unable to verify supplier" message shown by the operating system).

The Skulls.B replaces standard application icons with generic application icon instead of skull and cross bones like Skulls.A did.



If Skulls.B is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function. And in addition of applications being disabled the phone is also infected with Cabir.B, which fortunately, is not able to activate automatically.

If you have installed Skulls.B, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.

Installation to system Like Skulls.A Skulls.B is a SIS file that installs critical System ROM binaries and Cabir.B worm into C: drive. The System ROM files are installed with exact same names and locations as in the ROM drive.

Symbian operating system has a feature which causes any file that is in C: drive replace file in ROM drive with identical name and location.

Unlike Skulls.A Skulls.B installs also other files than just Symbian ROM files, in the list of installed files there is Camtimer camera timer application from Nokia and Cabir.B worm binaries.

Spreading in Icons.sis

Payload Replaces built in applications with non-functional ones and installs Cabir.B worm.

NAME: Skulls.D
ALIAS: SymbOS/Skulls.D

Summary

Skulls.D is a malicious SIS file trojan, that pretends to be Macromedia Flash player for Symbian Series 60 devices.



Skulls.D drops SymbOS/Cabir.M worm into the phone, disables system applications and third party applications needed to disinfect it and displays animation that shows flashing skull picture.

Unlike earlier Skulls versions the Skulls.D disables only few phone system applications. The only system applications that are disabled, are the ones that are needed in disinfecting it.

The third party applications disabled by Skulls, are ones that user would need to disinfect his phone, if it got infected by skulls. However for some reason Skulls.D copies the replacement files to the device memory card, thus disabling the tools only if user has not installed them on the C: drive.

Skulls.D tries to disable F-Secure Mobile Anti-Virus by replacing it's files with non-functional versions. However as F-Secure Mobile Anti-Virus is capable of detecting Cabir.M contained by Skulls using generic detection. The Anti-Virus will detect the infected SIS file and prevent it from being installed. Provided that the Anti-Virus is in realtime scan mode as it is by default.

The Cabir.M worm dropped by Skulls.D is already detected with generic detection as Cabir.Gen. So the Skulls.D is already detected and stopped without need for updated Anti-Virus database.

The Cabir.M dropped by Skulls.C does not activate automatically, but will activate on reboot.

The Skulls.D does also drop other application that will activate on device reboot, this application displays animation of flashing Skull picture on background, no matter what application user is trying to use.



If you have installed Skulls.D, the most important thing is not to reboot the phone.

Installation to system Skulls.D is a SIS file that replaces system ROM binaries related to application uninstall and bluetooth control, drops Cabir.M and other applications into the system and disables third party file managers and tries to disable F-Secure Mobile Anti-Virus.

Spreading in Flash_1[1].1_Full_DotSiS.sis

Payload Replaces built in and third party applications with non-functional ones, installs Cabir.M worm and starts animation that shows flashing skull picture.

NAME: Cabir.H
ALIAS: SymbOS/Cabir.H, EPOC/Cabir.H, Worm.Symbian.Cabir.H, Caribe virus

Summary

Cabir.H is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

The Cabir.H variant is a recompiled version of the original Cabir, the main difference being that Cabir.H has fixed replication routine and is capable of spreading faster than earlier variants.



Cabir.H replicates over bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm. When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over bluetooth.

When Cabir worm finds another bluetooth device it will start sending infected SIS files to it, as long as the target phone is in range. Unlike earlier variants of Cabir, the Cabir.H is capable of finding a new target, after the first one has gone out of range. Thus the Cabir.H will most likely spread faster than previous variants, if ever found in the wild.

Please note that Cabir worm can reach only mobile phones that support bluetooth, and are in discoverable mode.



Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

Replication

Cabir.H replicates over bluetooth in velasco.sis file that contains the worm main executable velasco.app, system recognizer marcos.mdl and resource file velasco.rsc. The SIS file contains autostart settings that will automatically execute velasco.app after the SIS file is being installed.

The velasco.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.

When the Cabir.H worm is activated it will start looking for other bluetooth devices, and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range the Cabir.H will continue searching and infecting other phones.

This modification in the replication mechanism, will make it more likely that Cabir.H will spread quickly once in the wild.

Infection

When the velasco.sis file is installed the installer will copy the worm executables into following locations:
c:\system\apps\velasco\velasco.rsc
c:\system\apps\velasco\velasco.app
c:\system\apps\velasco\flo.mdl

When the velasco.app is executed it copies the following files:
flo.mdl to c:\system\recogs
velasco.app to c:\system\symbiansecuredata\velasco\
caribe.rsc to c:\system\symbiansecuredata\velasco\

This is most likely done in case user installs the application to memory card, or to avoid user trying to disinfect the worm by uninstalling the original SIS file.

Then the worm will recreate the velasco.sis file from worm component files and data blocks that are in velasco.app.

After recreating the velasco.sis file the worm starts to look for all visible bluetooth devices and send the SIS file to them. ]

NAME: Cabir.E
ALIAS: SymbOS/Cabir.E, EPOC/Cabir.E, Worm.Symbian.Cabir.E, [YUAN] virus

Summary

Cabir.E is a minor variant of Cabir.B the only significant differences are that the Cabir.E displays different text on the start dialog when worm starts and that the Cabir.E spreads as [YUAN].SIS instead of Cabir.SIS.



Cabir.E displays text "[YUAN]" while Cabir.B displays text that contains just "Caribe".

Cabir.E is minor hexedit variant of Cabir.B, with the exception of new filename and different text displayed in worm start. Cabir.E behaves identically Cabir.B

NAME: Cabir.D
ALIAS: SymbOS/Cabir.D, EPOC/Cabir.D, Worm.Symbian.Cabir.D, MYTITI virus

Summary

Cabir.D is a minor variant of Cabir.B the only significant differences are that the Cabir.D displays different text on the start dialog when worm starts and that the Cabir.D spreads as MYTITI.SIS instead of Cabir.SIS.

Cabir.D displays text "Mytiti" while Cabir.B displays text that contains just "Caribe".


Cabir.D is minor hexedit variant of Cabir.B, with the exception of new filename and different text displayed in worm start. Cabir.D behaves identically Cabir.B

NAME: Lasco.A
ALIAS: SymbOS/Lasco.A, EPOC/Lasco.A

Summary

Lasco.A is a bluetooth using worm and SIS file infecting virus that runs in Symbian mobile phones that support Series 60 platform.

Lasco.A replicates over bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm. When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over bluetooth.



When Lasco worm finds another bluetooth device it will start sending copies of velasco.sis file to it, as long as the target phone is in range. Like Cabir.H,Lasco.A is capable of finding a new target, after the first one has gone out of range.

In addition of sending itself over bluetooth the Lasco.A is also capable of replicating by inserting itself into other SIS files found in the device. Then if such Lasco.A infected SIS files are copied into another device, Lasco.A install will start inside the first installation task, asking user whether to install Velasco.

Please note that SIS files infected by Lasco.A will not be automatically sent to other devices. The only way to get infected by Lasco.A infected file other than the original Velasco.SIS is to manually copy and install it to another device.

The Lasco.A is based on the same source as Cabir.H and is very similar to it. The main difference between Cabir.H and Lasco.A is the SIS file infection routine.

Please note that Lasco worm can reach only mobile phones that support bluetooth, and are in discoverable mode.

Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

F-Secure Mobile Anti-Virus will detect the Lasco.A and delete the worm components. After deleting worm files you can delete this directory: c:\system\symbiansecuredata\velasco\

Replication over bluetooth

Lasco.A replicates over bluetooth in velasco.sis file that contains the worm main executable velasco.app, system recognizer marcos.mdl and resource file velasco.rsc. The SIS file contains autostart settings that will automatically execute velasco.app after the SIS file is being installed.

The velasco.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.

When the Lasco.A worm is activated it will start looking for other bluetooth devices, and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range the Lasco.A will continue searching and infecting other phones.

This modification in the replication mechanism, will make it more likely that Lasco.A will spread quickly once in the wild.

Replication by infecting SIS files

Lasco.A replicates also by searching the infected device for all SIS installation files. And infecting them by adding the velasco.sis installation file as last file in the SIS archive.

The Lasco.A will also modify the infected SIS file header so that the embedded velasco SIS installation will start automatically after the host SIS file is installed. But while the Lasco.A is installation is started automatically, the installation sequence will still be normal and use will be asked whether he wants to install Velasco, and user will get warning about missing signature in the SIS file.

Infection

When the velasco.sis file is installed the installer will copy the worm executables into following locations:
c:\system\apps\velasco\velasco.rsc
c:\system\apps\velasco\velasco.app
c:\system\apps\velasco\flo.mdl

When the velasco.app is executed it copies the following files:
flo.mdl to c:\system\recogs
velasco.app to c:\system\symbiansecuredata\velasco\
velasco.rsc to c:\system\symbiansecuredata\velasco\


This is most likely done in case user installs the application to memory card, or to avoid user trying to disinfect the worm by uninstalling the original SIS file.

Then the worm will recreate the velasco.sis file from worm component files and data blocks that are in velasco.app.

After recreating the SIS file the Lasco.A will search for all SIS files in the device, add itself into those files and modify the SIS file header so that the Lasco.A embedded into target SIS files will activate automatically upon install of that SIS file into the device.