+ Three new Symbian trojans in one day!!

[Apocalypso]

Today F-Secure found three new Symbian trojans.
Drever.B, Drever.C and Skulls.F

The Drever.B is a simplified version of Drever.A that attacks only Simworks Anti-Virus, it is likely that Drever.B is actually earlier case than Drever.A, but was found only later. The Skulls.F is still under analysis, it is detected with generic detection from December 15th 2004, so it's a minor case. The Drever.C is interesting case as in addition of attacking Kaspersky and Simworks Symbian Anti-Viruses, it also attacks F-Secure Mobile Anti-Virus.
Drever.C tries to damage the bootloader and application binaries of F-Secure Mobile Anti-Virus. However, the F-Secure Mobile Anti-Virus has protection against any attempts to modify it's files so the attack will not succeed. If Drever.C SIS file is installed into Symbian device with F-Secure Mobile Anti-Virus running in Real-Time scan mode, as it is by default. The installation will terminate when the system installer tries to replace Anti-Virus files.The hexedited files that Drever.C tries to use to damage F-Secure Mobile Anti-Virus, contain message intended to F-Secure.

FSECURE MUST DIE!!!!!!
Please, don't make new antiviruses for my viruses and I stop make
viruses for your antiviruses. My target is Simworks!

NAME: Skulls.F
ALIAS: SymbOS/Skulls.F

Summary
Skulls.F is an edited version of Skulls.D SIS file trojan, it contains several variants of Cabir worm, and several copies of Locknut.B trojan.
Skulls.F is still under analysis, detailed information will be provided in near future.
Spreading in Simworks.SIS
Payload Replaces built in and third party applications with non-functional ones, installs Cabir worm variants, Locknut.B trojan and starts animation that shows flashing skull picture.
Detection
Generic detection that detects Skulls.F was published for F-Secure Mobile Anti-Virus on December 13th, 2004 in database build number 15.

NAME: Drever.B
ALIAS: SymbOS/Drever.B

Summary
Drever.B is a malicious SIS file trojan that disables the automatic startup from Simworks Symbian Anti-Virus software.
Drever.B does not affect F-Secure Mobile Anti-Virus.

Disinfection
Drever.B can be disinfected easily by using F-Secure Mobile Anti-Virus available from

Code: Select all

http://www.f-secure.com/estore/avmobile.shtml

Or you can uninstall it by uninstalling the SIS file in which Drever.C was installed from using application manager
1. Open the application manager
2. Uninstall Simworks_update.sis
3. Re-install your Anti-Virus

Spreading in Simworks_update.sis
Payload Drever.B drops non-functional copy of the bootloader used by Simworks Symbian Anti-Virus. This non-functional copy overwrites the original file, causing target software not to load automatically when the phone boots.

NAME: Drever.C
ALIAS: SymbOS/Drever.C
Summary
Drever.C is a malicious SIS file trojan that attacks bootloader files of several mobile Anti-Virus programs, and tries to attack F-Secure Mobile Anti-Virus by overwriting its files.
The Drever.C attacks bootloader files of Kaspersky, Simworks and F-Secure Symbian Anti-Virus products.
In addition of trying to overwrite the bootloaders, the Drever.C will also try to cripple F-Secure Mobile Anti-Virus by replacing it's binaries with corrupted ones.
However as F-Secure Mobile Anti-Virus contains protection against any modification attempts of its own files, both attacks will fail when Anti-Virus is in realtime scan mode as it is by default.
If the F-Secure Mobile Anti-Virus is switched off, or in manual scan mode, which is basically same as switched off. The attack will damage Anti-Virus, but user can recover easily by re-installing Anti-Virus.

Disinfection
Drever.C can be disinfected easily by using F-Secure Mobile Anti-Virus available from

Code: Select all

http://www.f-secure.com/estore/avmobile.shtml

Or you can uninstall it by uninstalling the SIS file in which Drever.C was installed from using application manager
1. Open the application manager
2. Uninstall New_bases_and_crack_for_antiviruses.sis
3. Re-install your Anti-Virus

Detailed Description

Payload

When Drever SIS file is installed to the system it try to replace the bootloader files used by Kaspersky, Simworks and F-Secure Symbian Anti-Virus products with corrupted versions. In addition of bootloader files the Drever.C will also install corrupted binaries or F-Secure Mobile Anti-Virus and corrupted licence file of Simworks Anti-Virus.

If the device has F-Secure Mobile Anti-Virus with updated databases, the Drever.C will be detected before it can be installed. If the device does not have up to date databases, the install will still fail as attempt to overwrite F-Secure Anti-Virus files will crash the application installer, thus terminating the installation of Drever.C

The files are corrupted by manually editing them and writing text '123' into random locations in the files.

Some of the edited files contain strings intended as messages to AV vendors:

FSECURE MUST DIE!!!!!!
Please, don't make new antiviruses for my viruses and I stop make
viruses for your antiviruses. My target is Simworks!
=)

Spreading in New_bases_and_crack_for_antiviruses.sis

[mirkocrocop]

I must say i HATE viruses and antiviruses!

[X-7610-X]

Where Dawnlod

[divine]

is norton security beta able to detect them ?

[Alien™]

I never liked Norton antivirus software so it won't go in my N6600.
As the viruses starting to spread I could use good AV soft. It's a shame that mobile market isn't interesting for Eset cause my PC choice is NOD and probably would be on my N6600 if only it exists
Regards

[Cykke]

Viruses are not "in the wild", so don't bother trying to find them

Norton is crap. SimWorks has complete virus database, and F-Secure is right behind him (but it misses a few versions).
Kaspersky is also nice, but it doesn't have complete database

[divine]

thanks for the tip cykke.

[Cykke]

thanks for the tip cykke.

No problem

[Double-G]

Why you guys say norton is crap? It's a beta, your not supposed to use it unless you want to test it. A beta version is not ment to be perfect. Try it when it is out of beta, if it is still crap then you can post your comments. And, give a reason with your comments, if i read comments like "norton is crap" i supose it's just fanboy fanatism.

Cheers

[Cykke]

Norton is has very bad scanning engine and it wrongly recognizes malware.
If that is the case with most imortant PC version, than I can imagine what will be in S60 version