Description:

This type of mobile virus is very interesting that it'll steal user phonebook data and then it will compile it into a text file and sent it through
bluetooth without user confirmation.

So far, this is the first Symbian Virus that I've seen that it will steal user data without
user confirmation and sent thorogh other bluetooth supported devices.





Analysis/Observation:

This trojan was distributed in an application file and it is spreading in pbexplorer.SIS.

Symtomps:

When user try to install this suspicious *.SIS file, the image shown below is screenshoot taken during installation process:

http://img369.imageshack.us/img369/9507/8f209da05hb.jpg

After installation complete, the application has set to run automatically and will display the following text:

________________
| Phone Book |
| Compacting |
| by: lajel 202u |
| |
| please wait... |
|________________|

________________________
| Compacting |
| your contact(s),step 2 |
| |
| Please wait again |
| until done... |
|________________________|

After the malicious process done, it will pop out a message:

"Done!!!"

If user press [OK] the malicious program will ended itself and after some times,
it will start searching for bluetooth devices and sent all phonebook information in
text file via bluetooth.


Prevention:

This malware requires that the user intentionally install them upon the device. As always, users should never install third party application from unknown site.
SYMBIAN TROJAN--Mabtal.A....
Profimail v2.75_FULL.SIS/SymbOS Mabtal.A is a SIS file malware that pretends to be a cracked version of Profimail which is a very popular E-Mailing third party application in Symbian Platform, in fact, it is a malware which drops Mabir.A, Caribe and Fontal variants into the phone system, besides, it also drops some corrupted binaries file which causing the phone auto-restart and showing fatal error message. Next the phone will fail to boot-up permanently.


Positive analysis results:

While tested using the above handsets, both platform was affected. When user tries to install the suspicious file into his phone, it will look like the below image:

user posted image

While installing the suspicious file, it will show a message as shown below:
http://img268.imageshack.us/img268/2144/317e79031ih.th.jpg


This suspicious file automatically installed all files into the phone memory. Cabir virus will start spreading via bluetooth and keeps listening if any incoming message arrives in the phone, when any SMS/MMS message arrives in the phone, mabir.A virus will immediately sent itself out via MMS for spreading purpose.

When user tries to access the Profimail and ProfiExplorer third party application, it may display an error message as shown below:
http://img268.imageshack.us/img268/7508/76ff985d6zw.th.jpg

After it has successfully restart, due to the corrupted fonts, the device can't boot up permanently.

By using the hash-number-matching method, the following files was proved to be a malware files while analyzing work is in progress:

11x12 euro_fonts.gdr detected as SymbOS.Fontal.A
CARIBE0.APP detected as SymbOS.Mabir.A
CARIBE0.RSC detected as SymbOS.Cabir
flo0.mdl detected as SymbOS.Mabir.A
flo.mdl detected as SymbOS.Mabir.A
caribe.app detected as SymbOS.Mabir.A
caribe.rsc detected as SymbOS.Cabir
Appinst.app detected as SymbOS.Cabir.U2
Appinst.aif detected as SymbOS.Cabir.U2


This malware doesn't come with any valid digital certificate but it can replicate itself via bluetooth or MMS(Mabir.A) and it will cause severe damage to Symbian OS 6.1 handsets!


SplinterCell-ChaosTheory_S60_cracked-XiMPDA.SIS OR SymbOS/Skudoo.A..


This is a Series 60 trojan that installs skulls trojan, MGdropper, Commwarrior, Doomboot.A and cabir into the targeted device. When this trojan executed, most of application in the phone being replaced by a non-functional or corrupted files by the trojan into the phone, causing application can't run as usual. It fails to attack NOKIA 6680 while the phone has been restarted. Anyway, McAfee AVERT mentioned that this trojan will cause the phone fail to reboot on the next restart by the user.

It is also the first mobie trojan in the world which capable propagates MGDropper virus and Commwarrior virus vice-versa.

It contains also the image as shown below while I have extracted the *.SIS file:
http://i21.photobucket.com/albums/b261/McAfee88/aa.gif

Some of the blank icon that the trojan drops actually is coded to auto restart the phone, when the phone has been restarted, the menu function of the phone can't no longer be function and thus this totally lock the whole phone.

When user tries to installs the trojan into the phone, the symptoms are as shown below:
http://i21.photobucket.com/albums/b261/McAfee88/P1010045.jpg

While installing the suspicious file into the phone, it will pop up a message as shown below:
http://i21.photobucket.com/albums/b261/McAfee88/ccb3703e.jpg