Again I would like to acknowledge Sir Calvin Tang the developer of calvinstinger, Rocky and Sir Eldogg for sharing this informationPHONE BOOK STEALERDescription:This type of mobile virus is very interesting that it’ll steal user phonebook data and then it will compile it into a text file and sent it throughbluetooth without user confirmation
.So far, this is the first Symbian Virus that I’ve seen that it will steal user data withoutuser confirmation and sent thorogh other bluetooth supported devices.Affected Platforms:
Tested on:· Nokia 6680· Nokia 3660Affected:· Nokia 6680Analysis/Observation:This trojan was distributed in an application file and it is spreading in pbexplorer.SIS.Symtomps:When user try to install this suspicious *.SIS file, the image shown below is screenshoot taken during installation process: After installation complete, the application has set to run automatically and will display the following
text:________________
Phone Book
Compacting
by: lajel 202u
please wait…
________________
________________________
Compacting
your contact(s),
step 2
Please wait again until done…
After the malicious process done, it will pop out a message:”Done!!!”
If user press [OK] the malicious program will ended itself and after some times,it will start searching for bluetooth devices and sent all phonebook information intext file via bluetooth.Prevention:This malware requires that the user intentionally install them upon the device. As always, users should never install third party application from unknown site.
How to uninstall:By using latest version of CalvinStinger© Symbian Viruses Disinfection Tool.
Special Announcement:Recently there is some fella from Indonesia are spreading Symbian Malwares Widely in Yahoo Group andit’s recomended not to download any file from there.
.
smallersig {
height:170px;
width:100%;
overflow:hidden;
}
SYMBIAN TROJAN
Mabtal.AProfimail v2.75_FULL.SIS/SymbOS Mabtal.A is a SIS file malware that pretends to be a cracked version of Profimail which is a very popular E-Mailing third party application in Symbian Platform, in fact, it is a malware which drops Mabir.A, Caribe and Fontal variants into the phone system, besides, it also drops some corrupted binaries file which causing the phone auto-restart and showing fatal error message. Next the phone will fail to boot-up permanently.Suspicious file tested using the following handsets:NOKIA 3660 (Symbian OS 6.1)NOKIA 6680 (Symbian OS 8.0)Positive analysis results:While tested using the above handsets, both platform was affected. When user tries to install the suspicious file into his phone, it will look like the below image:
While installing the suspicious file, it will show a message as shown below:
This suspicious file automatically installed all files into the phone memory. Cabir virus will start spreading via bluetooth and keeps listening if any incoming message arrives in the phone, when any SMS/MMS message arrives in the phone, mabir.A virus will immediately sent itself out via MMS for spreading purpose.
When user tries to access the Profimail and ProfiExplorer third party application, it may display an error message as shown below:
After it has successfully restart, due to the corrupted fonts, the device can’t boot up permanently.
By using the hash-number-matching method, the following files was proved to be a malware files while analyzing work is in progress:
11×12 euro_fonts.gdr detected as SymbOS.Fontal.A
CARIBE0.APP detected as SymbOS.Mabir.A
CARIBE0.RSC detected as SymbOS.Cabir
flo0.mdl detected as SymbOS.Mabir.A
flo.mdl detected as SymbOS.Mabir.A
caribe.app detected as SymbOS.Mabir.A
caribe.rsc detected as SymbOS.Cabir
Appinst.app detected as SymbOS.Cabir.U2
Appinst.aif detected as SymbOS.Cabir.U2
This malware doesn’t come with any valid digital certificate but it can replicate itself via bluetooth or MMS(Mabir.A) and it will cause severe damage to Symbian OS 6.1 handsets!
