Virus

SymbOS/Skulls.E

Analysis

  • It is a Symbian virus, packed in .sis format.
  • Displays the following message prompting the user to install:
  • Install Mariya?
  • Drops the following non-functioning files to disable the relevant applications in the phone:
    • C:\System\Apps\Appctrl\Appctrl.aif
    • C:\System\Apps\Appctrl\Appctrl.app
    • C:\System\Apps\BtUi\BtUi.aif
    • C:\System\Apps\BtUi\BtUi.app
    • C:\System\Apps\efileman\efileman.aif
    • C:\System\Apps\efileman\efileman.app
    • C:\System\Apps\FExplorer\FExplorer.aif
    • C:\System\Apps\FExplorer\FExplorer.app
    • C:\System\Apps\File\File.aif
    • C:\System\Apps\File\File.app
    • C:\System\Apps\FileManager\FileManager.aif
    • C:\System\Apps\FileManager\FileManager.app
    • C:\System\Apps\FileView\FileView.aif
    • C:\System\Apps\FileView\FileView.app
    • C:\System\Apps\MediaGallery\MediaGallery.aif
    • C:\System\Apps\MediaGallery\MediaGallery.app
    • C:\System\Apps\mmcapp\mmcapp.aif
    • C:\System\Apps\mmcapp\mmcapp.app
    • C:\System\Apps\Phone\Phone.aif
    • C:\System\Apps\Phone\Phone.app
    • C:\System\Apps\Phonebook\Phonebook.aif
    • C:\System\Apps\Phonebook\Phonebook.app
    • C:\System\Apps\ProfileApp\ProfileApp.aif
    • C:\System\Apps\ProfileApp\profileapp.app
    • C:\System\Apps\SmartFileMan\SmartFileMan.aif
    • C:\System\Apps\SmartFileMan\SmartFileMan.app
    • C:\System\Apps\Startup\Startup.aif
    • C:\System\Apps\Startup\Startup.app
    • C:\System\Apps\SystemExplorer\SystemExplorer.aif
    • C:\System\Apps\SystemExplorer\SystemExplorer.app
    • C:\System\Apps\ThNdRbRd\ThNdRbRd.aif
    • C:\System\Apps\ThNdRbRd\ThNdRbRd.app
    • C:\System\Apps\Voicerecorder\Voicerecorder.aif
    • C:\System\Apps\Voicerecorder\Voicerecorder.app
  • Drops the following files:
    • C:\System\Apps\Mariya\Mariya.APP (Fortinet detects it as SymbOS/Cabir.A!worm)
    • C:\System\Apps\Mariya\Mariya.RSC
    • C:\System\Apps\Mariya\Naw.MDL (Fortinet detects it as SymbOS/Cabir_ezboot.V)
    • C:\System\data\Backgroundimage.mbm
    • C:\System\Nawrasxsecuredata\NawraSSECURITYMANAGER\Mariya.SIS (Fortinet detects it as SymbOS/Cabir.D!worm)
    • C:\System\Nawrasxsecuredata\NawraSSECURITYMANAGER\Mariya.APP (Fortinet detects it as SymbOS/Cabir.A!worm)
    • C:\System\Nawrasxsecuredata\NawraSSECURITYMANAGER\Mariya.RSC
    • C:\System\Recogs\Naw.MDL
  • Attempts to send the virus file Mariya.SIS  to other mobile phones via bluetooth.

  • Recommended Action

    • Delete all modules and binary files associated with this threat. Replace affected applications with backup copies.