Virus

SymbOS/Skulls.C!tr

Analysis

SymbOS/Skulls.C!tr - 06-08-06


Installation to System:

  • Drops the following files:
    C:\System\RECOGS\YYSBootRec.mdl
    C:\System\RECOGS\$$$.MDL
    C:\System\MALAYSIAJOHOR--jb\yuanV3-diy-by-7022207\free$8.APP
    C:\System\MALAYSIAJOHOR--jb\yuanV3-diy-by-7022207\free$8.SIS

More Info:

1. It is a Symbian virus, packed in .sis format.

2. Pretends to be a sis pack of FSCaller to cheat user to install it.

3. Drops the following files to disable the relevant applications in the phone:

     !:\System\Apps\anti-virus\anti-virus.app
     !:\System\Apps\bootdata\bootdata.app
     !:\System\Apps\bootdata\bootdata_caption.rsc
     !:\System\Apps\data\data.app
     !:\System\Apps\data\data_caption.rsc
     !:\System\Apps\efileman\efileman.app
     !:\System\Apps\fexplorer\fexplorer.app
     !:\System\Apps\file\file.app
     !:\System\Apps\freakappctrl\freakappctrl.app
     !:\System\Apps\freakbtui\freakbtui.app
     !:\System\Apps\fscaller\camera0.dll
     !:\System\Apps\fscaller\camera1.dll
     !:\System\Apps\fscaller\cameraserver.dll
     !:\System\Apps\fscaller\fscaller.aif
     !:\System\Apps\fscaller\fscaller.app
     !:\System\Apps\fscaller\fscaller.mbm
     !:\System\Apps\fscaller\fscaller.rsc
     !:\System\Apps\fscaller\fscaller_caption.rsc
     !:\System\Apps\fscaller\pixel.mbm
     !:\System\Apps\nokiaApps\nokiaApps.app
     !:\System\Apps\nokiaApps\nokiaApps_caption.rsc
     !:\System\Apps\nokiafile\data.cfg
     !:\System\Apps\nokiafile\img.mbm
     !:\System\Apps\nokiafile\nokiafile.aif
     !:\System\Apps\nokiafile\nokiafile.app
     !:\System\Apps\nokiafile\nokiafile.rsc
     !:\System\Apps\nokiafile\nokiafile_caption.rsc
     !:\System\Apps\pjblue\pjblue.aif
     !:\System\Apps\pjblue\pjblue.app
     !:\System\Apps\pjblue\pjblue_caption.rsc
     !:\System\Apps\smartfileman\smartfileman.app
     !:\System\Apps\smartmovie\smartmovie.app
     !:\System\Apps\Systemexplorer\Systemexplorer.app

4. Attempts to send virus file free$8.SIS to other mobile phone by Bluetooth.

5. Drops an animated GIF of a skull that is displayed once the device is rebooted.  The image flashes and contains the text "WARNING!!! Device Have Been Attact By Virus A,Tee ,yuan ,Blue".