List of application names the viruses disguise themselves as:

VIRUS - FILENAME:

Cabir.A - caribe.sis
Cabir.B - caribe.sis/Norton Antivirus 2004 Professional.sis
Cabir.C - ni&ai-.sis/mytiti.sis/Norton Antivirus 2004 Professional.sis
Cabir.D - mytiti.sis/Norton Antivirus 2004 Professional.sis
Cabir.E - [YUAN].sis
Cabir.F - Skulls.sis
Cabir.G - Tee222.sis
Cabir.H - velasco.sis
Cabir.I -
Cabir.J -
Cabir.K -
Cabir.L - skulls.sis
Cabir.M - free$8.sis
Cabir.N - -SEXY-.sis
Cabir.O - mobile.sis
Cabir.P - 22207-.sis
Cabir.Q - Crazy!.sis
Cabir.S - guan4u.sis
Cabir.T - iLoveU.sis
Cabir.U - SEXXXY.sis
Cabir.V - GAVNOR.SIS
Cabir.Y - symTEE.SIS

CabirDropper.A -

Skulls.A - extended theme.sis/extended theme managre.sis

Skulls.B - camtimer.sis/icons.sis
Skulls.C - T2 RS3AS.sis/skull.sis
Skulls.D - Flash_1[1].1_Full_DotSiS.sis/Macromedia_Flash_1.1_Full_DotSiS.sis
Skulls.E - Mariya.sis/ThNdRbRd !.sis
Skulls.F - Impro.sis/Simworks.sis/WMAcodec.sis
Skulls.G - CALVIN SAMPLE VIRUS.SIS
Skulls.H - NokiaGuard.sis/ScreenSaver.sis
Skulls.I -
Skulls.J -
Skulls.K -
Skulls.L - F-secure_Antivirus_OS7.sis
Skulls.M - X-Ray Full byDotSis.SIS

MGDropper.A - SEXXXY.sis/metal_gear.sis
MGDropper.B - MetalGear_by_scar69.sis
MetalGear.A -

Lasco.A - velasco.sis/EGBoy a925.sis

Locknut.A - patch.sis
Locknut.B - MMFpatch.sis
Locknut.C -
Locknut.D -
Locknut.E -
Locknut.F -

Mosquit.A/QDail26.A - Mosquitos Cracked by Soddom.sis/Mosquitos Cracked by

Soddom V2.0.sis

Dampig.A - Fscaller3.2Crack7610.sis/vir.sis

Commwarrior.A - 9i1sv8ek.sis/pm85q_bx.sis/pm85q_bx.sis/22qrly9gl.sis/t5or921.sis or
com.sis
Commwarrior.B - COMMWARRIOR.ZIP

Drever.A - Antivirus.sis
Drever.B - Simworks_update.zip
Drever.C - New_bases_and_crack_for_antiviruses.sis
Drever.D -

Hobbes.A - Symantec.SIS

Mabir.A - info.sis/cabir.sis

Fontal.A - Kill Saddam By OID500.sis

Fontal.B - Nokia Anti-Virus.sis

Appdisabler.A -
Appdisabler.B -

The new 52 trojans infected filenames:

3D_miniGolf[1].1.01Crack.sis
6630-SnapShot2[1].03.sis
6630-VideoEditor210.sis
Auto Pilot3[1].01full.sis
Big-2 by__dotSiS.sis
BitStorm_full1[1].0-XiMpda.sis
Blocks_FullCrack.sis
bluster III Full.sis
BounceMP3_[1]NEW.sis
BugMe1[1].23_Full_Dotsis.sis
callcheater3[1].01-XiMpda.sis
Chinese Star1[1].01Crack.sis
ControlFreak2[1].0_Full.sis
CosmicFighter3[1].0.sis
CosmicFighter_Crack.sis
Digital Red Bowling.sis
DVD-to-NOKIA-6670.sis
DVDPlayer2[1].01_FullCrack.sis
FaceWave5[1].0_dotSiS.sis
FlashLite[1].v1.1fullcrack.sis
FreeCall_1[1].01-XiMpda.sis
Fscaller5[1].01_Full_dotSiS.sis
Funny Drawer2[1].00_Full.sis
gina-v1[1].1fullcrack.sis
HeliAttac101_Full_dotSiS.sis
ImagePlus2[1].15_Full.sis
Mahjong2[1].34.sis
Mahjong301_Full_QmzXiz.sis
matefinder_1[1].01-XiMpda.sis
MessageStorer_CRACK.sis
MotoRacer_Full.sis
Mumsms4[1].01_XimPDA.sis
pocketdictionary_V1.sis
PowerGprs_3[1].01-dotSis.sis
Quicksheet_cracked_S60.sis
RubiksCube1[1].19Crack.sis
Smart Movie263 S60[6630].sis
SmartLauncher2[1].06s70.sis
SmartLauncher2[2].06s70.sis
Snowboard_FullCrack.sis
Sony_Camcoder Pro_S60.sis
SplashID_4[1].13_S60.sis
Super Anti Virus 1[1].0 .sis
SuperMario3_FullCrack.sis
SuperMovie1[1].0_dotSiS.sis
SuperMP31[1].0_dotSiS.sis
supperNes_1[1].0_Beta_dotSiS.sis
vBoy[1].v2.0.S60.oWnPDA.sis
VNes[1].v2.0-XiMpda.sis
XCaller_FullCrack.sis
Yellow_YFtpC_2[1].33_SymTEE.sis
ZipMan_full2[1].0-XiMpda.sis
PHONE BOOK STEALER

Description:

This type of mobile virus is very interesting that it'll steal user phonebook data and then it
will compile it into a text file and sent it through bluetooth without user confirmation.

So far, this is the first Symbian Virus that I've seen that it will steal user data without
user confirmation and sent thorogh other bluetooth supported devices.

Affected Platforms:

Tested on:

· Nokia 6680
· Nokia 3660

Affected:

· Nokia 6680

Analysis/Observation:

This trojan was distributed in an application file and it is spreading in pbexplorer.SIS.

Symptoms:

When user try to install this suspicious *.SIS file, the image shown below is screenshoot
taken during installation process:

After installation complete, the application has set to run automatically and will display
the following text:
________________
| Phone Book |
| Compacting |
| by: lajel 202u |
||
| please wait... |
|________________|

________________________
| Compacting |
| your contact(s),step 2 |
||
| Please wait again |
| until done... |
|________________________|

After the malicious process done, it will pop out a message:

"Done!!!"

If user press [OK] the malicious program will ended itself and after some times,
it will start searching for bluetooth devices and sent all phonebook information in
text file via bluetooth.

Prevention:

This malware requires that the user intentionally install them upon the device. As always,
users should never install third party application from unknown site.

How to uninstall:

By using latest version of CalvinStinger© Symbian Viruses Disinfection Tool.

SYMBIAN TROJAN--Mabtal.A

Profimail v2.75_FULL.SIS/SymbOS Mabtal.A is a SIS file malware that pretends to be a

cracked version of Profimail which is a very popular E-Mailing third party application in
Symbian Platform, in fact, it is a malware which drops Mabir.A, Caribe and Fontal
variants into the phone system, besides, it also drops some corrupted binaries file which
causing the phone auto-restart and showing fatal error message. Next the phone will fail
to boot-up permanently.

Suspicious file tested using the following handsets:

NOKIA 3660 (Symbian OS 6.1)

NOKIA 6680 (Symbian OS 8.0)

Positive analysis results:

While tested using the above handsets, both platform was affected. When user tries to
install the suspicious file into his phone, it will look like the below image:

While installing the suspicious file, it will show a message as shown below:

This suspicious file automatically installed all files into the phone memory. Cabir virus
will start spreading via bluetooth and keeps listening if any incoming message arrives in
the phone, when any SMS/MMS message arrives in the phone, mabir.A virus will
immediately sent itself out via MMS for spreading purpose.
When user tries to access the Profimail and ProfiExplorer third party application, it may
display an error message as shown below:

After it has successfully restart, due to the corrupted fonts, the device can't boot up
permanently.

By using the hash-number-matching method, the following files was proved to be a

malware files while analyzing work is in progress:

11x12 euro_fonts.gdr detected as SymbOS.Fontal.A

CARIBE0.APP detected as SymbOS.Mabir.A
CARIBE0.RSC detected as SymbOS.Cabir
flo0.mdl detected as SymbOS.Mabir.A
flo.mdl detected as SymbOS.Mabir.A
caribe.app detected as SymbOS.Mabir.A
caribe.rsc detected as SymbOS.Cabir
Appinst.app detected as SymbOS.Cabir.U2
Appinst.aif detected as SymbOS.Cabir.U2

This malware doesn't come with any valid digital certificate but it can replicate itself via
bluetooth or MMS(Mabir.A) and it will cause severe damage to Symbian OS 6.1
handsets!
SplinterCell-ChaosTheory_S60_cracked-XiMPDA.SIS OR SymbOS/Skudoo.A

This is a Series 60 trojan that installs skulls trojan, MGdropper, Commwarrior,

Doomboot.A and cabir into the targeted device. When this trojan executed, most of
application in the phone being replaced by a non-functional or corrupted files by the
trojan into the phone, causing application can't run as usual. It fails to attack NOKIA
6680 while the phone has been restarted. Anyway, McAfee AVERT mentioned that this
trojan will cause the phone fail to reboot on the next restart by the user.

It is also the first mobile trojan in the world which capable propagates MGDropper virus
and Commwarrior virus vice-versa.

It contains also the image as shown below while I have extracted the *.SIS file:
Some of the blank icon that the trojan drops actually is coded to auto restart the phone,
when the phone has been restarted, the menu function of the phone can't no longer be
function and thus this totally lock the whole phone.

When user tries to installs the trojan into the phone, the symptoms are as shown below:

While installing the suspicious file into the phone, it will pop up a message as shown
below:
Skulls.CB [McAfee]

This virus claims to be a third party application but in fact, it is a trojan which drops
several non-functional system file and corrupted fonts into the phone system, causing
puzzle-like and blank icon shown in the phone.

User should take alert about this suspicious file when the following symptoms as shown
in the image below:

When user try to install it into the phone:

Such message popping out in the installation process:

The phone will look like this:

Never click on the blank icon as it would automatically restart the phone which causing
the phone fail to reboot next time due to malware attacks.

This malware spreading in Fontal.C.sis

Blankfont.A

Blankfont.A is a SIS file trojan that installs corrupted Font file into infected device. The
corrupted font does not cause device to crash, but if the device is rebooted it will lose the
system font, and is unable to display user interface texts.

If a phone is infected with Blankfont.A, it must not be rebooted as the trojan will corrupt
system font and make disinfection quite difficult. If the phone is rebooted it can still be
disinfected but, doing so is rather difficult as there is no text on the screen.

Spreading in Rally_2.sis
Symbian– Skudoo.C/Skudoo.D

Description:

Symbian/Skudoo.C-D are Skulls variants with parts of Doomboot. Variant C also drops
Commwarior.B. Variant D drops MGDropper. They appear to be repackaged collections
of recent malware.

Affected Platforms:

Tested on:

· Nokia 6600

Affected:

· Nokia 6600

Payload

The Skulls and MGDropper files will disable native system applications and some third-
party applications. The dropping of Doomboot will cause the device to be unable to
reboot, therefore, once the device has been restarted the impact of the Skulls and
MGDropper files is no longer an issue. The CommWarrior that is dropped by Skudoo.C
will spread.

Figure 1 Desktop screen of Skudoo.C

Analysis/Observation

Both variants have filenames implying that they are pirated versions ofvideo games.
Variant C claims to be a cracked version of Need for Speed1. Variant D claims to be
“Carmageddon_3D_s60_BETA.sis”.

Prevention

Both variants require that the user intentionally install them upon the device. As always,
users should never install unknown or un-trusted software. This is especially true for
illegal software, such as cracked applications—they are a favorite vector for malware
infection.

How to uninstall

If the device has been rebooted then a hard-reset must be performed for recovery.

For Skudoo.D, as all malicious files are installed the external phone card, removing the
card will restore full use of the phone.
Symbian –Skudoo.E-F

Description:

Symbian/Skudoo.E-F are Skulls variants with parts of Doomboot and BlankFont.Variant

E also drops Commwarior.B. They appear to be repackaged collections of recent
malware.

AffectedPlatforms:

Tested on:

· Nokia 6600
· Nokia 7610

Affected:

· Nokia 6600
· Nokia 7610

Payload:

The Skulls files will disable native system applications and some third-party applications.
The dropping of Doomboot and BlankFont will cause the device to beunable to reboot,
therefore, once the device has been restarted the impact of theSkulls files is no longer an
issue. The CommWarrior that is dropped by Symbian/Skudoo.E will spread.

Figure 1 Virus.jpg dropped by Skudoo.F

Analysis/Observation:

Symbian/Skudoo.E is distributed in a sis file named “pop corn.sis”. Variant F is

distributed in a sis file named “Rally 3.sis”.
Prevention:

Symbian/Skudoo.E requires that the user intentionally install them upon the device. As
always, users should never install unknown or un-trusted software. This is especially true
for illegal software, such as cracked applications—they are a favorite vector for malware
infection.

How to uninstall:

If the device has been rebooted then a hard-reset must be performed for recovery.
SymbOS\Commwarrior.C

Description:

SymbOS\Commwarrior.C contains Commwarrior.B worm and seems to packed together

with a cracked application and named itself as Speed Overclock v3-1.41.SIS. Besides, it
also contains Fontal.A trojan.

Affected Platforms:

Tested on:

· Nokia 6680

Affected:

· Nokia 6680

Payload:

Theoretically, the dropping of Fontal.A trojan will cause the device to unable to reboot,
anyway, there is some 'technical error' in this file causing the phone successfully reboot
even if the phone has been restarted. The commwarrior also fail to exucutes in the
analysis process. No harm was observed in the analysis process.

This trojan will drops the following files:

C:\CommWarrior.A.sis

C:\Speed Overclock v3.41.sis

C:\Your Welcome.gif

C:\Fonts\Yeah Im in da house!!.gdr

Analysis/Observation:

This trojan was distributed in a Series 60 third party appplication file and it is spreading
in Speed Overclock v3-1.41.SIS.

Image drop by this trojan after installation:

Symtomps:

When user try to install this suspicious theme file, the image below shown are
screenshoot taken during installation process:

Prevention:

Commwarrior.C requires that the user intentionally install them upon the device. As
always, users should never install third party application from unknown site. Anyway,
this trojan is spreading in some of the site which contains Series 60 THEME file.

How to uninstall:

Go to application manager and unistall Speed Overclock v3-1.41.SIS

· SymbOS/CardBlock.A (F-SECURE)

Description:

SymbOS/CardBlock.A contains none of the previously found trojan but this trojan
capable deleting the phone system data file and it will block the memory card from being
accessed.

Affected Platforms:

Tested on:

· Nokia 6680
. Nokia 3660

Affected:

Nokia 6680 ONLY

Analysis/Observation:

This trojan was distributed in an application file and it is spreading in

instantsis.v2.1.cracked.by.binzpda.SIS.

Symptoms:

When user try to install this suspicious file, the image below shown is the screenshoot
taken during installation process:

SymbOS/CardBlock.A claims to be a Series 60 third party application. Upon installation

an agreement will be shown and ask user if he or she agree with those terms listed and
proceed to the next step to finalize the installation process.

After installation completed, the application icon will be shown in the phone as shown
below:

Method of Infection

This trojan will executes itself only while user try to access them.

While user try to access the suspicious application, it will looks like the image below:

While user try to access the options panel and proceed to "Send>Via Bluetooth", the
trojan will start to executes itself and the phone will started to hang and lagging and the
memory card will locked by it with random password code.

It will generates different password to locked up the media card. Further info will be
confirmed by Anti-Virus firm. I personally have sacrified my 64MB DV-RS-MMC for
testing this trojan and it prove to me that it is capable locking the memory card. Luckily
mine is ZITRON set, no worries for me.

While one of the component file being disassembled, the following strings was observed
that will delete the phone system data:

C:\system\install
C:\system\data
C:\system\libs
C:\system\mail
C:\system\bootdata

After those file was damaged and it will prevents the phone from starting up after the
phone is rebooted and shows the following error messages:

'Phone startup failed, contact the retailer. '

Prevention:

SymbOS/CardLock.A requires that the user intentionally install them upon the device. As
always, users should never install third party application from unknown site. According
to the security expert that I met him, this trojan is really spreading widely in WAREZ
site, please take alert about it!

How to uninstall:

If the phone has been rebooted, hard reset method must be apply to the phone and
password protected memory card can be formatted in NOKIA 9210 only, else, user may
advise to take back to the retailer to be sent back to the factory.
SymbOS DoomBoot.D

Description:

SymbOS DoomBoot.D contains corrupted font file that extracted from Fontal.A and
seems to packed together with a theme file and named itself as Angelina Joulie
Theme(Universal Theme).SIS

Affected Platforms:

Tested on:

· Nokia 6680
· Nokia 3660

Affected:

· Nokia 6680
· Nokia 3660

Payload:

Theoretically, the dropping of Fontal.A trojan will cause the device to unable to reboot,
anyway, the creator installed into the wrong directory causing the phone successfully
reboot even if the phone has been restarted. No harm was observed during my testing
process.

This trojan will drops the following files:

!:\ETel.dll

!:\Your Welcome.gif

!:\Fonts\Yeah Im in da house!!.gdr

!:\system\skins\616E676C\ThemesE.mbm

!:\system\skins\616E676C\ThemesE.skn

Analysis/Observation:

This trojan was distributed in a theme file and it is spreading in Angelina Joulie
Theme(Universal Theme).SIS. The theme will look like the image below:
Image drop by this trojan after installation:

Symtomps:

When user try to install this suspicious theme file, the above image shown are
screenshoot taken during installation process:
Prevention:

DoomBoot.D requires that the user intentionally install them upon the device. As always,
users should never install third party application from unknown site. Anyway, this trojan
is spreading in some of the site which contains Series 60 THEME file.

How to uninstall:

Go to application manager and unistall Angelina Joulie Theme(Universal Theme).SIS

F-SECURE information about this malware is wrong. There is no harm to the phone in
my analysis process, anyway, I will report it to them.
SymbOS DoomBoot.E

Description:

SymbOS DoomBoot.E contains corrupted font file that extracted from Fontal.A and
seems to packed together with a theme file and named itself as Jennifer Lopez Theme++
by Dj Hardcore.SIS. Besides, it also contains Doomboot trojan.
Affected Platforms:

Tested on:

· Nokia 6680

Affected:

· Nokia 6680

Payload:

Theoretically, the dropping of Fontal.A and DoomBoot trojan will cause the device to
unable to reboot, anyway, there is some 'technical error' in this file causing the phone
successfully reboot even if the phone has been restarted. No harm was observed during
my testing process.

This trojan will drops the following files:

C:\ETel.dll

C:\Your Welcome.gif

C:\Fonts\Yeah Im in da house!!.gdr

C:\system\ETel.dll

C:\system\RECOGS\$$$.MDL

C:\system\RECOGS\YYSBootRec.mdl

C:\system\skins\f4f427bd1d9487c1\JenniferLopez.mbm

C:\system\skins\f4f427bd1d9487c1\JenniferLopez.skn

Analysis/Observation:
This trojan was distributed in a theme file and it is spreading in Jennifer Lopez Theme++
by Dj Hardcore.SIS. The theme will look like the image below:

Image drop by this trojan after installation:

Symtomps:

When user try to install this suspicious theme file, the image below shown are
screenshoot taken during installation process:
Prevention:

DoomBoot.E requires that the user intentionally install them upon the device. As always,
users should never install third party application from unknown site. Anyway, this trojan
is spreading in some of the site which contains Series 60 THEME file.

How to uninstall:

Go to application manager and unistall Jennifer Lopez Theme++ by Dj Hardcore.SIS

The Fake Calvin Stinger

Recently there is a fella from Indonesia who had created a large amount mobile
malwares and its malicious act is just same as Cardtrap family, that is, malware
spreading from Phone to PC.

It's notice that, Steven(The malware creator) stuff doesn't has big change, most of them is
just a repack stuff that using "skull" technique to replace functional file into non-
functional file. The main difference that taking Anti-Virus firm attention is, most of his
new stuff contain a new batch file that assigned to executes its malicious act.

Steven is trying to fool those innocent user using "CALVIN STINGER Anti Virus 2.0"
name in his batch file which is trying to delete important system file in C drive and
causing the computer fail to reboot next time.

Well, Steven stuff is very lame and grandpa style which our "Grandpa Hacker" used
those DOS command to attack the computer system at a very early time. Shame on him
because he doesn't realize that his batch file is quite kiddie script which bring "Jokes and
Humour" to our Anti-Virus firm.

Affected Platforms:

Tested on:

· Nokia 6680
· Nokia 3660

Affected:

· Nokia 6680
· Nokia 3660

Analysis/Observation:

This trojan was distributed in an application file and it is spreading in BattleField 2 -

GAMELOFT.SIS.

Symtomps:

When user try to install this suspicious *.SIS file, the image shown below is screenshoot
taken during installation process:

Payload

Payload disables a large amount of third party application and also some ROM
application which this malware trying to overwrite the ROM file and also replacing
functional file into non-functional file.

Method of Infection in PC

Tested Platform: Window XP SP2

User should be aware of those *.exe files which drop by this malware into the media
card. The author is trying to installed those *.exe file which contains a malicious batch
file that trying to delete important system file in C drive.

While user trying to executes the *.exe file, it will trigger the batch file running and a
Command Window will pop out and claims itself as "CALVIN STINGER AntiVirus2.0"

If user press any key to continue, it will delete those important data file in the C drive
which causing the computer fail to reboot next time.

After deleting those important data files, it will show a message

Prevention:

This malware requires that the user intentionally install them upon the device. As always,
users should never install third party application from unknown site.

Well, CalvinStinger is only release once and does not has any updated version yet. User
should be aware of downloading CalvinStinger in an unknown site because it might be a
FAKE one or its contains any malicious act.

User should be reminded that ORIGINAL CalvinStinger for Symbian OS phone ONLY
can be safely downloaded at SF and SX.

McAfee anti-virus has added detection on this "kiddie stuff" and it will be detected as
Bat/Kads.dr. The same goes to other anti-virus vendor too, please update your anti-virus
defination to ensure you're protected from this malware although it's a Grandpa old time
malware.

How to uninstall:

McAfee Virus Scan, TrendMicro Anti-Virus, Symantec Mobile Security, F-Secure

Anti-Virus should able to detect it provided your anti-virus software must have the latest
defination of this malware which will available in the next few days.
Commwarrior.D

Basically, this malware malicious act is just same as the previous variant--
Commwarrior.B, just that it has been edited by someone and the main difference is that
when it used to spread itself via MMS, the text messages are all in Spanish language such
that:

/abcdefghijklmnopqrstuvwxyz01234567890_
A mi novia Less
AMD!!!Universidad de Madrid y Valencia.
Antena 3 y Telecinco...
application/vnd.symbian.install
application/vnd.symbian.install
Ayudanos contra la drogadiccion, colabora ACDV 1 Euro.
Cari!!
Carod eres un cabron, Capullo!. Politonos de Neng !!. Follatela!Mis Albumes
Carod Rovira HPuta!
Coleccion de mis fotoalbum fallas 2006!!!
Comela!
Conseguir eso.. Maldito Sea!
Descarga nuevos sonitonos aqui!
Diapositiva PowerPoint ensymbian.com
Dluxe!!
Felicidades!!!! Tienes una postal aki!
Feliz Cumple!!!
Fernando Alonso te envia una invitacion!Sr Arganda
Hay que pagar para respirar y mear
Llamame cuando veas
Manda tu curriculum a esta direcciony llamaran!
Mario y yo nos casamos en 2 meses!!.
Me he cambiado la direccion de email, esta
Me he cambiado..
Mi e-mail es este
Mi Exnovia!
Mi foto erotic@
Mierda Estatut!!
Morena
Movistar!
Mp3 Player para Nokia series 60. Instalalo yaa!
Nuevas Tiendas!
Nuevo Virus THX para los Nokia s60s. Instala
Orgullo Gay
Politono Popcorn anuncio renault clio
PoltiTonos paramoviles,descarga ya!
Problema de bateria en Nokia!
Quedamos a tomar algo?
Quieres Reirte
Se busca gente
Solo trabajemos 6 horas diarias .....!
Sonitonos Nokia
Todos vendemos. Gracias Carod!
Valencia,ciudad de Campeones. Viva el VCF!Solo Nokia.
Viva las fallas de Valencia, mascletas online
Vodafone y Amenase fusionan. Compra un Nokia.com
Vodafone, Informacion gratuita en MMS..... Informa

Should you have any problem regarding this malware, current CalvinStinger should able
to fix it.
SymbOS\Commwarrior.E
Description:

Commwarrior.E is a variant of family "Commwarrior". It claims itself as a GPRSsettings

utilities which in fact, it's a malicious application that trying to fool the user to proceed to
the installation step and causing malicious infection to the phone or the media card.

This malicious application is trying to replicates itself over bluetooth network and also
MMS network and I've working on 1 hour to observed its replication method, in the first
hour, it will replicates itself via Bluetooth network at a rate of 1 malicious file per 5
minutes, causing the phone battery drains faster abnormally. Around midnight 12 a.m.,
this malicious application will stop replicates itself via bluetooth network but it will
replicates itself via MMS network.

This spreading technique is quite effective as you can see it's working in "invisible
background", causing normal user didn't aware them until they notice they get a "high
billed" amount of MMS charges.

The main difference of this variant with the previous variant is, it will generates different
codes and replicates itself via another bluetooth device, while installing, the image below
shown is a screenshoot taken in another phone which the user has authorised the infected
device to send the suspicious file.

Affected Platforms:

Tested on:

· Nokia 6680
· Nokia 3660

Affected:

· Nokia 6680
· Nokia 3660
Analysis/Observation:

This trojan was distributed in an application file and it is spreading in

Commwarrior.E.SIS or GprsSettings.SIS .

Symptoms:

When user try to install this suspicious *.SIS file, the image shown below is screenshoot
taken during installation process:

Method of Infection

It will replicates itself via bluetooth network and also MMS network that it will randomly
pick up the contacts details in user's phonebook and send itself to the selected victim.

It has a unique feature that similar with Commwarrior.C, that is, it will protect itself
although user has deleted the malicious directory.

The above text show the messages that used by this malicious application to spread itself
via MMS network:

Subject: Llamame cuando veas

Message: Problema de bateria en Nokia!

Subject: Mira!!
Message: Ole!!!Universidad de Madrid y Valencia.

Subject: Nuevas Tiendas!

Message: Hay que pagar para respirar y mear

Subject: Movistar!
Message: Fernando Alonso te envia una invitacion! Sr Gonzalo
Subject: Norton AntiVirus
Message: Instalacion paramoviles,instalar ya!

Subject: Paulina
Message: Nuevo Antivirus para los Nokia s60s. Instala

Subject: Quieres Reirte

Message: Todos vendemos.Gracias Maria!

Subject: Deejay
Message: Conseguir eso..Maldito Sea!

Subject: Amor Libre!

Message: Descarga nuevos sonitonos aqui!

Subject: AmorVirtual
Message: Mp3 Player paraNokia series 60. Instalalo yaa!

Subject: Mi tema erotico

Message: Coleccion de mis fotoalbum fallas 2006!!!

Subject: Quedamos a tomar algo?

Message: Viva las fallas de Valencia, mascletas online

Subject: Ayudanos mo
Message: vilforum,todo sobre movilesy demas......com

Subject: Me he cambiado..
Message: Me he cambiado la direccionde email, esta

Subject: HP-CITY
Message: Veroo eres un zorron, guarrita. Instalalo si eres tu. Instala!

Subject: Mis Albumes

Message: Maria! Traeme las bragas de tu madre!!!!! Solo Nokia.

Subject: Sonitonos Nokia

Message: Politono Popcorn anuncio renault clio

Subject: Telefonica Anuncia.

Message: Vodafone y Amenase fusionan. Compra un PpPpc.com

Subject: A mi novia XXXX

Message: Solo trabajemos 6 horas diarias .....!
Subject: Se busca gente
Message: Antena 3 y Telecincoven

Subject: Antena 3 y T elecinco...

Message: Diapositiva PowerPoint ensymbian.com

Subject: Mi e-mail es este

Message: Jorge y yo nos casamos e n 2 meses!!.

Subject: Feliz Cumple!!!

Message: Felicidades!!!! Tienes una postal aki!

Subject: Amor Libre!

Message: Descarga nuevos sonitonos aqui!

Subject: AmorVirtual
Message: Mp3 Player paraNokia series 60. Instalalo yaa!

Subject: Mi tema erotico

Message: Coleccion de mis fotoalbum fallas 2006!!!

Subject: Quedamos a tomar algo?

Message: Viva las fallas de Valencia, mascletas online

Subject: Ayudanos mo
Message: vilforum,todo sobre movilesy demas......com

Prevention:

This malware requires that the user intentionally install them upon the device. As always,
users should never install third party application from unknown site.

How to uninstall:

CalvinStinger v1.2 will able to remove this malware which will be available soon at
SymbianX.
SymbOS\Multidropper.AS[McAfee]

Other aliases: SymbOS\CardTrap.AB[F-SECURE]

Description:

A new multidropper variant has been found again today! It claims itself as Symantec
Anti-Virus product which in fact, it's a malicious application that trying to fool the user to
proceed to the installation step and causing malicious infection on both the phone and the
computer.

This malicious application contains Skulls trojan, a New W32 malware which while user
trying to launch them, a malicious act will be performed and causing harm to the
computer. Also, McAfee Generic Detection has shown that a suspicious ZIP file that
might be a W32/Mytob@MM variants also bundle together with this malicious
application.

However, those W32 malware could only activates itself if only user trying to launch
them. This happens when user trying to read their media card or synchronize with the
computer and accidentally launch the malicious file.

This author has designed various "colourful" icon which trying to fool the user to lauch
them by using Symantec Anti-Virus logo and also Google icon.

Affected Platforms:

Tested on:

· Nokia 6680
· Nokia 3660

Affected:

· Nokia 6680
· Nokia 3660
Analysis/Observation:

This trojan was distributed in an application file and it is spreading in Symantec

Response Team.SIS.

Symptoms:

When user try to install this suspicious *.SIS file, the image shown below is screenshoot
taken during installation process:

This malware is trying to show a fake message that contains Symantec official website
and trying to fool the user to restart the phone which will then activating skulls trojan
attack!

This malware also containing the image shown below:

Prevention:

This malware requires that the user intentionally install them upon the device. As always,
users should never install third party application from unknown site.

How to uninstall:
McAfee Virus Scan, TrendMicro Anti-Virus, Symantec Mobile Security, F-Secure
Anti-Virus should able to detect it provided your anti-virus software must have the latest
defination (Both computer and phone) of this malware which will available in the next
few days.
Da Vinci virus hits mobile phones!

IPB Image

It’s been confirmed — The Da Vinci Code is bad for you. The virus, that is. A computer
bug bearing the controversial film’s name has affected dozens of mobile phones and
laptops in the city.

The virus, which spreads via wireless Bluetooth technology, causes a message to pop up
on Bluetooth devices: ‘Receive message via Bluetooth from Da Vinci Code?’ Once a
curious mobile phone user accepts the message, the virus enters the system and destroys
the phone’s data.

A picture depicting an eye and a cross appears on the desktop and phone’s gallery.

System crash

Mridul Sharma (32), an operations manager at an event management firm, received the
virus during a corporate presentation a few days ago. “The Da Vinci Code name actually
excited me. I assumed the file was either an MMS clipping or a still and accepted it.

My entire system collapsed and data was deleted. I had just bought my Nokia N91
handset worth Rs 31,000 and had to pay Rs 1,500 to format my mobile hard disk and
reload the software,” said Sharma.

Common virus

“I received the virus on my laptop and phone. Apparently my Bluetooth device was
active. The technician who repaired my phone told me this was a common virus, which
had simply been renamed The Da Vinci Code to attract the users,” said 35-year-old
Sanjay Menon.

Abhishek Datta, a software expert, said, “Once a phone is affected, formatting is the only
option. You cannot retrieve your data.”

Conclusion

In conclusion, it might be a modified Caribe or Commwarrior that repack with corrupted

binaries to disable the phone from startup.

Seems that "Da Vinci Code" really a good naming for mobile viruses for now as this
movie quite prestigious in "Cinema Heat"!

Will we have "Mutant-X", "Mission Impossible 3" etc as mobile phone viruses in the
future? Let see how creative are those nasty creator then!
Recommendations

1. An anti-virus with REAL TIME PROTECTION will provide you with tight security.

2. Turn your bluetooth detection mode in "Hidden" or "Invisible" mode or just switch it
off if it's not necessary.

3. Never try to install an unknown file and proceed to the installation step.

4. Backup your data from time to time just in case...

5. Please beware of any MMS that come with *.SIS file attachment. Delete it if it's quite
suspicious.
SymbOS\Splashstall

Description:

SymbOS\Splashstall is the latest mobile trojan that attack S60 devices from booting up.
For those innocent user who proceed to the installation step by agreeing and passing the
security check, his phone will straight away infected by this malware and the phone will
start to reboot itself and it will permanently disable from booting up to the starup menu.

The most interesting part that catching my attention is, while the phone is being rebooted
after infected by this malware,
a scary and funny sound will be played "hahaha" then. One's might get shocked if he
install this application at night!

Affected Platforms:

Tested on:

- Nokia 6680
- Nokia 3660

Affected:

- Nokia 6680
- Nokia 3660

Analysis/Observation:

This trojan was distributed in an application file and it is spreading in Nokia Theme.SIS

Symptoms:

When user try to install this suspicious *.SIS file, the image shown below is screenshoot
taken during installation process:
Method of Infection

This malware is trying to replace corrupted binaries to the startup system . As a result, the
phone will be permanently disable from boot up and it will display a message "Phone
Startup-failed, Contact your retailer!".

This malware also drop a sound file into the phone system, while the trojan executed,
the sound file will be play then. I assume that this sound file is to make fool on those
innocent users who get tricked by this trojan and his phone can't boot up to normal starup
mode permanently.

Prevention:

This suspicious Symbian application needs user intervention to be installed on target

devices. Upon execution, it prompts the user to install the application the phone. It also
prompts the user to select where the said application is to be installed. As always, users
should never install third party application from unknown site.

How to uninstall:

There is no known method to fix this trojan except hard formatting the infected device.
All data will be lost upon formatting.
For Symbian OS v6.1 such as NOKIA 3650/3660/N-GAGE/QD/Siemens SX-1. There is
no known method to fix it except flashing the firmware.
Commwarrior.Q a.k.a "Matrix Commwarrior"

When the Commwarrior.Q SIS file is installed, it will drop the its executable with a
random name, for example 5k8jb1fo.exe, either into C:\ or to a directory that has a
random name such as C:\uqxo5dh7xtyc5.

Installation
When the Commwarrior.Q executable is executed it will copy itself to
C:\System\Libs\cw.exe and will create a bootstrap file to C:\system\Recogs\cw3rec.mdl.
If a memory card is present then the same files are created also to the memory card.

Replacing operator logo

Commwarrior.Q creates a bitmap file with the name used by the current operator into
C:\system\Apps\Phone\oplogo\
This bitmap file is then shown instead of the operator logo when the phone is on the
network.

Generating SIS installation packages to send to other devices

Commwarrior.Q replicates in SIS installation packages over Bluetooth and MMS in same
manner as previous variants.
SIS files created by Commwarrior.Q have a random name, for example, anyrah5y.sis or
xyr88b0muh7.sis.
A Commwarrior.Q SIS file contains the worm main that has random name and is either in
C:\ or randomly named directory.
SIS files created by Commwarrior.Q have a random size between 32100 and 32200
bytes.

Unlike previous variants of Commwarrior, Commwarrior.Q does not use a static product
name that is shown during installation.
Previous variants always showed the same name, thus making them easy to identify. The
Commwarrior.Q contains an internal list of
strings that is used to generate random, but plausible looking filenames.

The filenames are composed of three component string arrays that are stored in the main
binary in obfuscated form.
The string arrays are:

smart,nokia,symbian,nice,fatal,cool,c00l,virtual,f inal,safe,
abstract,static,zend,jedi,trend,micro,mega,hard,ni ce,good,lost

www,web,wap,e-mail,mail,game,graphics,java,hood,sex,max,
audio,memory,RAM,ROM,HDD,WinAmp,jedi,hardware,disp lay,keyboard,key

antivirus,anti-virus,guard,fucker,hacker,cracker,checker,driver,m anager,uninstaller,
remover,engine,tool,machine,box,stuff,videoplayer, player,trust,ringtone,
explorer,timer,game,AppMan,recorder,dictaphone,tea
m,images,calculator,objects,documents,clips,docs

Replication over Bluetooth

Comwarrior.Q replicates over Bluetooth in SIS files that have a random name, for
example, anyrah5y.sis or xyr88b0muh7.sis.
The SIS file contains the worm main that has a random name and is either in C:\ or
randomly named directory.

The SIS file contains autostart settings that will automatically execute Commwarrior.Q
after the SIS file is installed.

When Comwarrior worm is activated it will start looking for other bluetooth devices, and
send a copy of itself to each of these phones
targeting several phones at one attempt.

If a target phone goes out of range or rejects file transfer, commwarrior will search for
another phone.

The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm
locks into one phone as long as it is in range, and
depending on the variant will either look another variant after losing contact or stay
locked.

The Comwarrior worm will constantly look for new targets, thus it is able to contact all
phones in range.

Replication over MMS

Commwarrior.Q uses three strategies for spreading over MMS messages.

First, when Commwarrior.Q starts, it starts to go through the phone's address book and
sends MMS messages to phone numbers that are marked as a mobile phone.

Commwarrior.Q listens on any arriving MMS or SMS messages and replies to those
messages with an MMS message containing the Commwarrior.Q SIS file.

The worm also listens for any SMS messages being sent by the user and sends an MMS
message to the same number, right after the SMS message.

The texts in MMS messages sent by Commwarrior.Q contain texts that are stored in the
phone Messaging Inbox, thus the messages that Commwarrior.Q sends are texts that the
receiving user might expect from the sender.

Displaying HTML Page

After Commwarrior.Q has infected the phone it will, after a random delay, create an
HTML page that it will display itself to the user using the phone's default browser. The
HTML page is created into directory C:\system\Libs\cwinfo.html

Replication to MMC Card

Commwarrior.Q "listens" for any MMC cards to be inserted into the infected phone, and
copies itself to the inserted card. The infected card contains both the Commwarrior
executable and the bootstrap component, so that if the infected card is inserted into
another phone it will also be infected.

Replication by infecting other SIS files

Commwarrior.Q searches the device C: drive and memory cards for SIS installation files,
and will infect all SIS files that it finds. The infected SIS files will be wrapped by
Commwarrior.Q so that if the user installs the infected SIS file, Commwarrior.Q will
install first followed by the original application.

Infected SIS file will retain the orignal product name so that user will not notice that the
SIS package is infected with Commwarrior.Q when installing it.

Removal Steps:

Kill Commwarrior Process

1. Install a third-party file manager. For example FExplorer

2. Start FExplorer
3. Select and copy any file to clipboard
* Navigate file system with navigation button. Press right to enter directory, left to leave
directory.
* Select C: and press right, select system and press right
* Select any file from c:\system such as backup.xml
* Select Edit/Copy from menu
4. Copy the file to E:\system\temp
* Press left until you are at filesystem selection screen
* Select E: and press right
* Select System and press right, and then temp and press right
* Select Edit/Paste from menu
5. Rename the file to noboot
* Select File/Rename from menu
* Rename the copied file to noboot
6. Reboot the phone

Install F-Secure Mobile Anti-Virus to finish cleaning up your phone

Download the file and select open after download

Install F-Secure Mobile Anti-Virus
Go to Applications Menu and start Anti-Virus
Activate Anti-Virus and scan all files