Updated Symbian OS Mobile Phone Virus Info

[tang kiat chung]

Nokia Anti-Virus.sis is a very destructive malwares which act like Fontal.A virus. It pretend to like an Anti-virus third party application, that is Kaspersky Anti-Virus, in fact, it doesn't, it automatically installed a corrupted fonts into the phone memory, causing the phone fail to boot itself.

This virus has been tested using the following phones:

-NOKIA 3660(SYmbian OS 6.1)
-NOKIA 7610(Symbian OS 7.0)
-NOKIA 6680(Symbian OS 8.0)

Positive analysis results:

NOKIA 3660(SYmbian OS 6.1), NOKIA 7610(Symbian OS 7.0) and NOKIA 6680(Symbian OS 8.0) Series 60 devices are confirmed that this virus can executes itself on those devices. When this virus executes on older Series 60 version, that is (Nokia 3650/3660/7650/N-GAGE), the phone may fail to boot permanently, no any other solution may fix it, unless the phone has been flashed. While this virus executes on NOKIA 7610, the phone keep showing NOKIA logo several times and shut down itself after that. For NOKIA 6680, it keep showing NOKIA logo only.





For Series 60 device which run on Symbian OS 7.0 or higher, this virus can be fixed by format the phone using 'secret' code



This Virus installed the following files which disable the phone system to boot:

c:/system/fonts.Kaspersky.gdr


This virus doesn't contains any valid digital certificate but it show the following text while installing the symbian installation file:


The infected phone will keep showing 'NOKIA' logo and fail to boot. The main target of this virus created by virus writters is to attacks and delete user data in the phone system causing all important contacts, messages, settings and data loss unworthy.


This virus has been pass to Anti-virus company to update their virus definition to ensure user protected from such destructive malwares. Updated virus definition will be availabel soon, no worries. For Series60 symantec anti-virus products and Series60 Simworks Anti-virus, user can get protected from this malwares via wireless update. To ensure that your phone always free from malware, please don't installed any other unknown source third party application.


Virus detected on 13th June 2005 and virus analyzed by Mobile World Virus Researchers on 13th June 2005. Copyright © 2005 by Mobile World Online Community.

[tang kiat chung]

X-Ray Full byDotSis is a new version of skulls virus. This virus is spreading in X-Ray Full byDotSis.zip which is a very famous application that I heard before. By the way, the virus had been edited by hackers, the icons is change into red color box with a skulls image and showing 'Danger Keep out" word in the phone.


This virus will disabled most of the application in symbian handsets. When this virus has been activated and after the phone has restart itself, it will disable most of the phone functionality by replacing a corrupted file into the phone system. It will change the normal icon into a red icon with the name of 'Khalid'. This virus seems to disable a huge number of well known application, that is almost 62 application has been disable by it.

Virus tested using the following handsets:

NOKIA 6680 (Symbian OS 8.0)
NOKIA 3660 (Symbian OS 6.1)

This virus is the first virus that disabled the InfraRed functionality of the phone.. Therefore, this implies that hackers are much more advance to creates a malware. So far, if this virus executes, no any other deletion method found to be useful, only hard reset it will fix it.


Positive Analysis Reports:
This virus is tested using these two handsets, NOKIA 6680 and NOKIA 3660 and positively, it shows that it can successfully executes on Symbian OS 6.1 and Symbian OS 8.0.



This Virus doesn't contain any signed digital certificate that user may take warning at the first time before this virus installed into targeted directory. This virus has disable most application by installing the following files:

-Type: Simple File

-!:\System\Apps\ScreenSaver\ScreenSaver.app
-!:\System\Apps\ScreenSaver\ScreenSaver.aif
-!:\System\Apps\SchemeApp\SchemeApp.app
-!:\System\Apps\SchemeApp\SchemeApp.aif
-!:\System\Apps\Satui\Satui.app
-!:\System\Apps\Satui\Satui.aif
-!:\System\Apps\PushViewer\PushViewer.app
-!:\System\Apps\PushViewer\PushViewer.aif
-!:\System\Apps\PSLN\PSLN.app
-!:\System\Apps\PSLN\PSLN.aif
-!:\System\Apps\ProfileApp\profileapp.app
-!:\System\Apps\ProfileApp\ProfileApp.aif
-!:\System\Apps\Pinboard\Pinboard.app
-!:\System\Apps\Pinboard\Pinboard.aif
-!:\System\Apps\Phonebook\Phonebook.app
-!:\System\Apps\Phonebook\Phonebook.aif
-!:\System\Apps\Phone\Phone.app
-!:\System\Apps\Phone\Phone.aif
-!:\System\Apps\NSmlDSSync\NSmlDSSync.app
-!:\System\Apps\NSmlDSSync\NSmlDSSync.aif
-!:\System\Apps\NpdViewer\NpdViewer.app
-!:\System\Apps\NpdViewer\NpdViewer.aif
-!:\System\Apps\Notepad\Notepad.app
-!:\System\Apps\Notepad\Notepad.aif
-!:\System\Apps\MsgMailViewer\MsgMailViewer.app
-!:\System\Apps\MsgMailViewer\MsgMailViewer.aif
-!:\System\Apps\MsgMailEditor\MsgMailEditor.app
-!:\System\Apps\MsgMailEditor\MsgMailEditor.aif
-!:\System\Apps\MmsViewer\MmsViewer.app
-!:\System\Apps\MmsViewer\MmsViewer.aif
-!:\System\Apps\MmsEditor\MmsEditor.app
-!:\System\Apps\MmsEditor\MmsEditor.aif
-!:\System\Apps\mmcapp\mmcapp.app
-!:\System\Apps\mmcapp\mmcapp.aif
-!:\System\Apps\MediaSettings\MediaSettings.app
-!:\System\Apps\MediaSettings\MediaSettings.aif
-!:\System\Apps\MediaPlayer\MediaPlayer.app
-!:\System\Apps\MediaPlayer\MediaPlayer.aif
-!:\System\Apps\MediaGallery\MediaGallery.app
-!:\System\Apps\MediaGallery\MediaGallery.aif
-!:\System\Apps\mce\mce.app
-!:\System\Apps\mce\mce.aif
-!:\System\Apps\Logs\Logs.app
-!:\System\Apps\Logs\Logs.aif
-!:\System\Apps\ImageViewer\ImageViewer.app
-!:\System\Apps\ImageViewer\ImageViewer.aif
-!:\System\Apps\GS\gs.app
-!:\System\Apps\GS\GS.aif
-!:\System\Apps\FileManager\FileManager.app
-!:\System\Apps\FileManager\FileManager.aif
-!:\System\Apps\FExplorer\FExplorer.app
-!:\System\Apps\FExplorer\FExplorer.aif
-!:\System\Apps\DdViewer\DdViewer.app
-!:\System\Apps\DdViewer\DdViewer.aif
-!:\System\Apps\cshelp\cshelp.app
-!:\System\Apps\cshelp\cshelp.aif
-!:\System\Apps\Converter\converter.app
-!:\System\Apps\Converter\Converter.aif
-!:\System\Apps\ConnectionMonitorUi\ConnectionMonit orUi.app
-!:\System\Apps\ConnectionMonitorUi\ConnectionMonit orUi.aif
-!:\System\Apps\CodViewer\CodViewer.app
-!:\System\Apps\CodViewer\CodViewer.aif
-!:\System\Apps\ClockApp\ClockApp.app
-!:\System\Apps\ClockApp\ClockApp.aif
-!:\System\Apps\CERTSAVER\CERTSAVER.APP
-!:\System\Apps\CERTSAVER\CERTSAVER.aif
-!:\System\Apps\CbsUiApp\CbsUiApp.app
-!:\System\Apps\CbsUiApp\CbsUiApp.aif
-!:\System\Apps\Calendar\Calendar.app
-!:\System\Apps\Calendar\Calendar.aif
-!:\System\Apps\Calcsoft\Calcsoft.app
-!:\System\Apps\Calcsoft\Calcsoft.aif
-!:\System\Apps\bva\bva.app
-!:\System\Apps\bva\bva.aif
-!:\System\Apps\BtUi\BtUi.app
-!:\System\Apps\BtUi\BtUi.aif
-!:\System\Apps\Browser\Browser.app
-!:\System\Apps\Browser\Browser.aif
-!:\System\Apps\Autolock\Autolock.app
-!:\System\Apps\Autolock\Autolock.aif
-!:\System\Apps\AppInst\Appinst.app
-!:\System\Apps\AppInst\AppInst.aif
-!:\System\Apps\About\About.app
-!:\System\Apps\About\About.aif
-!:\System\Apps\FaxModemUi\FaxModemUi.app
-!:\System\Apps\FaxModemUi\FaxModemUi.aif
-!:\System\Apps\IrApp\IrApp.app
-!:\System\Apps\IrApp\IrApp.aif
-!:\System\Apps\Camera\Camera.app
-!:\System\Apps\Camera\Camera.aif
-!:\System\Apps\VideoRecorder\VideoRecorder.app
-!:\System\Apps\VideoRecorder\VideoRecorder.aif
-!:\System\Apps\AppMngr\Appmngr.app
-!:\System\Apps\AppMngr\AppMngr.aif
-!:\System\Apps\Tee222\Tee222_CAPTION.rsC
-!:\System\Apps\Tee222\Tee222.rsc
-!:\System\Apps\Tee222\Tee222.aif
-!:\System\Data\welcomeimage.mbm
-!:\System\Data\backgroundimage.mbm




It will not replicates itself or drop any cabir variants via bluetooth.

It will shows the following text while installation is in progress:





This virus has been sent out to Anti-Virus company to let them further analyze this virus. Updated virus definition will be published by them soon.

This virus samples is detected in warez site. I found this because they complained to me that this file seems to badly attack their phone. For those who love to install warez to their phone should know what is 'DotSIS', therefore, I hope this virus will warning you guys not to support warez anymore.

By the way, the virus researchers in an Anti-virus told me that they have found two new cabir/caribe variants that is an edited version of cabir.B. Mobile malwares proof to be exixts more in the future because they exists one by one in just a short time.

Virus detected on 17th June 2005 and virus analyzed by Mobile World Virus Researchers on 17th June 2005. Copyright 2005 by Mobile World Online Community.

[tang kiat chung]

Symantec anti-virus is one of the anti-virus application that built in with powerful firewall functionality. This AV product will automatically startup each time the phone switch on, besides, so far, no any other known mobile malwares which can disable and replace a corrupted file to disable this AV products, anyway, users are advice to keep updated their virus definition to ensure protected from latest mobie threats.

When tested using skull variants that I have installed into the NOKIA 6680, before any infected file that target to install certanin directory in the phone or memory card, it will pop a message stating that what virus is trying to gain access into the phone system and prompt user whether they allow to permit the action or not. Refer to the above image for more details:



If user accidentally installed the malwares into the phone and the malwares successsfully gain access to certain folder and cause phone system to crash, the phone will look like the above image:



By disinfecting the phone, I have run the Symantec AV products to scan virus, although the scan time take a bit long to perform the scan(Usually depends on user, if users phone memory or memory card ccupied a large amount of space, sure, it takes a long time to perform its action), but, I think is worth, because it scan one by one and sure its scanning engine is more accurate if compare with others AV product. When the scanning is in proccess, it will look like the above image, with stated how many virus has been found and what directory is currently scanning.



When scanning is complete, it will pops up a message stating that how many virus is detected and show what virus is infecting the phone, sadly, Symantec AV company didn't implement a command to delete all infected files one-time-go, but it prompt users to delete them one by one which is wasting of time. Besides, although it scanning engine is much more accurate if compare with other products, but it fail to perform its 'Anti-Virus' functionality, after I have deleted all the infected file and the phone has been restarted, the same thing happen, the malwares is still exists in targeted directory.



Generally, till date, non of the Anti-Virus products for Symbian Operating System that I found that can be effectively cure or fix mobile virus. After analyze those viruses, I prefer manual deletion method rather then using Ani-Virus scanning engine to delete it. All I can conclude is, Series 60v anti-virus products currently only can spot where the malwares has been installed only.

Anyway, Symantec anti-virus that built in with strong firewall functionality is the most powerful anti-virus application that I have tested, that is, it will prompt users whether they allow or deny the infected file to be installed in targeted directory. But sadly, ths products can fixed infected files effectively.


Virus and Anti-Virus product tested by Mobile World Virus Researchers on 13th June 2005.

[MihaiM]

Excelent topic

[jabxyz]

Beware! Guys, I guess that I will never figure some people out. Please read up on this and beware.
http://www.eweek.com/article2/0,1759,1827394,00.asp

[angel_wing0]

wow...worthy to be a sticky

[tang kiat chung]

Guys, I am here to inform you guys that SimWorks, McAfee, and F-secure have the latest virus definition of those malwares found recently. Kindly please update your virus definition.



Image by F-SECURE, Jarno Niemela.

[angel_wing0]

Guys, I am here to inform you guys that SimWorks, McAfee, and F-secure have the latest virus definition of those malwares found recently. Kindly please update your virus definition.



Image by F-SECURE, Jarno Niemela.

i wonder why they dont have it with n91 yet...

[mtc2300]

Exosyphen Current version : 1.01.016 (March 30, 2006)

http://www.exosyphen.com/page_exovirusstop.html