virus logo Virus

SymbOS/Skulls.A!tr

description-logoAnalysis

This Symbian trojan destroys a large list of s60 applications and replaces menu icons by skulls.

During the installation process, it poses as an anti-virus product; SymbianOS warns us we are about to install a non-secured application and if we decide to continue, the trojan infects the system.

This version poses as an anti-virus product for SymbianOS devices
(This version poses as an anti-virus product for SymbianOS devices)

The infection scheme is basic but efficient: it overides original .app files with its own dropped files. It means the .sis file itself is malicious, not the dropped files.

Destroyed application ranges from sms-related to mp3 to calendars etc.:

- C:\System\Apps\WALLETAVOTA\WALLETAVOTA.app
- C:\System\Apps\WALLETAVOTA\WALLETAVOTA.aif
- C:\System\Apps\WALLETAVMGMT\WALLETAVMGMT.app
- C:\System\Apps\WALLETAVMGMT\WALLETAVMGMT.aif
- C:\System\Apps\Voicerecorder\Voicerecorder.app
- C:\System\Apps\Voicerecorder\Voicerecorder.aif
- C:\System\Apps\Vm\Vm.app
- C:\System\Apps\Vm\Vm.aif
- C:\System\Apps\VCommand\VCommand.app
- C:\System\Apps\VCommand\VCommand.aif
- C:\System\Apps\Ussd\Ussd.app
- C:\System\Apps\Ussd\Ussd.aif
- C:\System\Apps\ToDo\ToDo.app
- C:\System\Apps\ToDo\ToDo.aif
- C:\System\Apps\Tee222\Tee222_CAPTION.rsC
- C:\System\Apps\Tee222\Tee222.rsc
- C:\System\Apps\Tee222\Tee222.app
- C:\System\Apps\Tee222\Tee222.aif
- C:\System\Apps\Tee222\222.mdl
- C:\System\Apps\SystemExplorer\SystemExplorer.app
- C:\System\Apps\SystemExplorer\SystemExplorer.aif
- C:\System\Apps\SysAp\SysAp.app
- C:\System\Apps\SysAp\SysAp.aif
- C:\System\Apps\Startup\Startup.app
- C:\System\Apps\Startup\Startup.aif
- C:\System\Apps\Speeddial\Speeddial.app
- C:\System\Apps\Speeddial\Speeddial.aif
- C:\System\Apps\SmsViewer\SmsViewer.app
- C:\System\Apps\SmsViewer\SmsViewer.aif
- C:\System\Apps\SmsEditor\SmsEditor.app
- C:\System\Apps\SmsEditor\SmsEditor.aif
- C:\System\Apps\SmartFileMan\SmartFileMan.app
- C:\System\Apps\SmartFileMan\SmartFileMan.aif
- C:\System\Apps\SimDirectory\SimDirectory.app
- C:\System\Apps\SimDirectory\SimDirectory.aif
- C:\System\Apps\Sdn\Sdn.app
- C:\System\Apps\Sdn\Sdn.aif
- C:\System\Apps\ScreenSaver\ScreenSaver.app
- C:\System\Apps\ScreenSaver\ScreenSaver.aif
- C:\System\Apps\SchemeApp\SchemeApp.app
- C:\System\Apps\SchemeApp\SchemeApp.aif
- C:\System\Apps\Satui\Satui.app
- C:\System\Apps\Satui\Satui.aif
- C:\System\Apps\PushViewer\PushViewer.app
- C:\System\Apps\PushViewer\PushViewer.aif
- C:\System\Apps\PSLN\PSLN.app
- C:\System\Apps\PSLN\PSLN.aif
- C:\System\Apps\ProvisioningCx\ProvisioningCx.app
- C:\System\Apps\ProvisioningCx\ProvisioningCx.aif
- C:\System\Apps\ProfileApp\profileapp.app
- C:\System\Apps\ProfileApp\ProfileApp.aif
- C:\System\Apps\ProfiExplorer\ProfiExplorer.app
- C:\System\Apps\ProfiExplorer\ProfiExplorer.aif
- C:\System\Apps\PRESENCE\PRESENCE.app
- C:\System\Apps\PRESENCE\PRESENCE.aif
- C:\System\Apps\Pinboard\Pinboard.app
- C:\System\Apps\Pinboard\Pinboard.aif
- C:\System\Apps\Phonebook\Phonebook.app
- C:\System\Apps\Phonebook\Phonebook.aif
- C:\System\Apps\Phone\Phone.app
- C:\System\Apps\Phone\Phone.aif
- C:\System\Apps\NSmlDSSync\NSmlDSSync.app
- C:\System\Apps\NSmlDSSync\NSmlDSSync.aif
- C:\System\Apps\NSmlDMSync\NSmlDMSync.app
- C:\System\Apps\NSmlDMSync\NSmlDMSync.aif
- C:\System\Apps\NpdViewer\NpdViewer.app
- C:\System\Apps\NpdViewer\NpdViewer.aif
- C:\System\Apps\Notepad\Notepad.app
- C:\System\Apps\Notepad\Notepad.aif
- C:\System\Apps\MusicPlayer\MusicPlayer.app
- C:\System\Apps\MusicPlayer\MusicPlayer.aif
- C:\System\Apps\MsgMailViewer\MsgMailViewer.app
- C:\System\Apps\MsgMailViewer\MsgMailViewer.aif
- C:\System\Apps\MsgMailEditor\MsgMailEditor.app
- C:\System\Apps\MsgMailEditor\MsgMailEditor.aif
- C:\System\Apps\MmsViewer\MmsViewer.app
- C:\System\Apps\MmsViewer\MmsViewer.aif
- C:\System\Apps\MmsEditor\MmsEditor.app
- C:\System\Apps\MmsEditor\MmsEditor.aif
- C:\System\Apps\MMM\MMM.app
- C:\System\Apps\MMM\MMM.aif
- C:\System\Apps\mmcapp\mmcapp.app
- C:\System\Apps\mmcapp\mmcapp.aif
- C:\System\Apps\Menu\Menu.app
- C:\System\Apps\Menu\Menu.aif
- C:\System\Apps\MediaSettings\MediaSettings.app
- C:\System\Apps\MediaSettings\MediaSettings.aif
- C:\System\Apps\MediaPlayer\MediaPlayer.app
- C:\System\Apps\MediaPlayer\MediaPlayer.aif
- C:\System\Apps\MediaGallery\MediaGallery.app
- C:\System\Apps\MediaGallery\MediaGallery.aif
- C:\System\Apps\mce\mce.app
- C:\System\Apps\mce\mce.aif
- C:\System\Apps\Logs\Logs.app
- C:\System\Apps\Logs\Logs.aif
- C:\System\Apps\location\location.app
- C:\System\Apps\location\location.aif
- C:\System\Apps\ImageViewer\ImageViewer.app
- C:\System\Apps\ImageViewer\ImageViewer.aif
- C:\System\Apps\GS\gs.app
- C:\System\Apps\GS\GS.aif
- C:\System\Apps\FileView\FileView.app
- C:\System\Apps\FileView\FileView.aif
- C:\System\Apps\FileManager\FileManager.app
- C:\System\Apps\FileManager\FileManager.aif
- C:\System\Apps\FExplorer\FExplorer.app
- C:\System\Apps\FExplorer\FExplorer.aif
- C:\System\Apps\F-secureAnti-Virus\Hydra1.DLL
- C:\System\Apps\F-secureAnti-Virus\FSUpdateManager.dll
- C:\System\Apps\F-secureAnti-Virus\FSSMSManager.dll
- C:\System\Apps\F-secureAnti-Virus\FSSched.rsc
- C:\System\Apps\F-secureAnti-Virus\FSSched.app
- C:\System\Apps\F-secureAnti-Virus\FsAVUpdater.rsc
- C:\System\Apps\F-secureAnti-Virus\FsAVUpdater.app
- C:\System\Apps\F-secureAnti-Virus\FsAVUpdater.aif
- C:\System\Apps\F-secureAnti-Virus\FSAVEPOC.DAT
- C:\System\Apps\F-secureAnti-Virus\FSAV.dll
- C:\System\Apps\F-secureAnti-Virus\backup\FSBioMessageParser.dll
- C:\System\Apps\F-secureAnti-Virus\backup\FSBioMessage.bif
- C:\System\Apps\F-secureAnti-Virus\backup\AVBioIcons.mbm
- C:\System\Apps\F-secureAnti-Virus\Anti-Virus.rsc
- C:\System\Apps\F-secureAnti-Virus\Anti-Virus.app
- C:\System\Apps\F-secureAnti-Virus\Anti-Virus.aif
- C:\System\Apps\efileman\efileman.app
- C:\System\Apps\efileman\efileman.aif
- C:\System\Apps\Dictionary\dictionary.app
- C:\System\Apps\Dictionary\Dictionary.aif
- C:\System\Apps\DdViewer\DdViewer.app
- C:\System\Apps\DdViewer\DdViewer.aif
- C:\System\Apps\cshelp\cshelp.app
- C:\System\Apps\cshelp\cshelp.aif
- C:\System\Apps\Converter\converter.app
- C:\System\Apps\Converter\Converter.aif
- C:\System\Apps\ConnectionMonitorUi\ConnectionMonitorUi.app
- C:\System\Apps\ConnectionMonitorUi\ConnectionMonitorUi.aif
- C:\System\Apps\CodViewer\CodViewer.app
- C:\System\Apps\CodViewer\CodViewer.aif
- C:\System\Apps\ClockApp\ClockApp.app
- C:\System\Apps\ClockApp\ClockApp.aif
- C:\System\Apps\Chat\Chat.app
- C:\System\Apps\Chat\Chat.aif
- C:\System\Apps\CERTSAVER\CERTSAVER.app
- C:\System\Apps\CERTSAVER\CERTSAVER.aif
- C:\System\Apps\CbsUiApp\CbsUiApp.app
- C:\System\Apps\CbsUiApp\CbsUiApp.aif
- C:\System\Apps\Camcorder\Camcorder.app
- C:\System\Apps\Camcorder\Camcorder.aif
- C:\System\Apps\Calendar\Calendar.app
- C:\System\Apps\Calendar\Calendar.aif
- C:\System\Apps\Calcsoft\Calcsoft.app
- C:\System\Apps\Calcsoft\Calcsoft.aif
- C:\System\Apps\bva\bva.app
- C:\System\Apps\bva\bva.aif
- C:\System\Apps\BtUi\BtUi.app
- C:\System\Apps\BtUi\BtUi.aif
- C:\System\Apps\Browser\Browser.app
- C:\System\Apps\Browser\Browser.aif
- C:\System\Apps\bif\FSBioMessage.bif
- C:\System\Apps\bif\AVBioIcons.mbm
- C:\System\Apps\Autolock\Autolock.app
- C:\System\Apps\Autolock\Autolock.aif
- C:\System\Apps\AppMngr\Appmngr.app
- C:\System\Apps\AppMngr\AppMngr.aif
- C:\System\Apps\AppInst\Appinst.app
- C:\System\Apps\AppInst\AppInst.aif
- C:\System\Apps\Anti-Virus\Hydra1.DLL
- C:\System\Apps\Anti-Virus\FSUpdateManager.dll
- C:\System\Apps\Anti-Virus\FSSMSManager.dll
- C:\System\Apps\Anti-Virus\FSSched.rsc
- C:\System\Apps\Anti-Virus\FSSched.app
- C:\System\Apps\Anti-Virus\FSSched.aif
- C:\System\Apps\Anti-Virus\FsMonitorPluginAV.dll
- C:\System\Apps\Anti-Virus\FSHttpManager.dll
- C:\System\Apps\Anti-Virus\FsAVUpdater.rsc
- C:\System\Apps\Anti-Virus\FsAVUpdater.app
- C:\System\Apps\Anti-Virus\FsAVUpdater.aif
- C:\System\Apps\Anti-Virus\FsAVKey00000000.bin
- C:\System\Apps\Anti-Virus\FSAVEPOC.DAT
- C:\System\Apps\Anti-Virus\FSAVDT.exe
- C:\System\Apps\Anti-Virus\FSAV.dll
- C:\System\Apps\Anti-Virus\backup\FSBioMessageParser.dll
- C:\System\Apps\Anti-Virus\backup\FSBioMessage.bif
- C:\System\Apps\Anti-Virus\backup\AVBioIcons.mbm
- C:\System\Apps\Anti-Virus\AntiVirusIcons.mbm
- C:\System\Apps\Anti-Virus\Anti-Virus.rsc
- C:\System\Apps\Anti-Virus\Anti-Virus.app
- C:\System\Apps\Anti-Virus\Anti-Virus.aif
- C:\System\Apps\Anti-Virus\admin.pub
- C:\System\Apps\About\About.app
- C:\System\Apps\About\About.aif

* Note that it automatically infects the C: drive, destroying programms installed in c:\System\Apps - any application installed on D: or E: will remain unmodified.

The trojan overides applications installed on the C: drive only; in this case, FExplorer was installed on E: and was not destroyed
(The trojan overides applications installed on the C: drive only; in this case, FExplorer was installed on E: and was not destroyed.)

It also overides some system files with dumb files:

- C:\System\Recogs\mod.MDL
- C:\System\Recogs\FSRec.mdl
- C:\System\Parsers\FSBioMessageParser.dll
- C:\System\Libs\ZLIB.DLL
- C:\System\Libs\softwarecopier200.dll
- C:\System\Libs\notification.cmd
- C:\System\Libs\lmpro.r02
- C:\System\Libs\lmpro.r01
- C:\System\Libs\licencemanager20s.dll
- C:\System\Libs\FSBioMessageViewer.dll
- C:\System\Libs\FS\FSServerLauncher.exe
- C:\System\Libs\FS\FSMonitor.dll
- C:\System\help\AntiVirus.hlp
- C:\System\help\AntiVirus-2.hlp
- C:\System\data\0010155.cfg
- C:\System\bif\FSBioMessage.bif
- C:\System\bif\AVBioIcons.mbm

For example, 'notification.cmd' contains:

Virus for 7610..I hope you like it :)

Finally, it drops the Skull application files. Once the device has been rebooted, it blocks any access to the Symbian's functionalities: menu, shortcuts, etc. - only the phone and the messaging systems remain available.

- C:\System\SKULLSXSECUREDATA\SKULLSXSECUREDATA\SKULLSSECURITYMANAGER\system\apps\skulls\skulls.rsc
- C:\System\SKULLSXSECUREDATA\SKULLSXSECUREDATA\SKULLSSECURITYMANAGER\system\apps\skulls\skulls.app
- C:\System\SKULLSXSECUREDATA\SKULLSXSECUREDATA\SKULLSSECURITYMANAGER\system\apps\skulls\mod.mdl
- C:\System\SKULLSXSECUREDATA\SKULLSXSECUREDATA\SKULLSSECURITYMANAGER\skulls.SIS
- C:\System\SKULLSXSECUREDATA\SKULLSXSECUREDATA\SKULLSSECURITYMANAGER\skulls.RSC
- C:\System\SKULLSXSECUREDATA\SKULLSXSECUREDATA\SKULLSSECURITYMANAGER\skulls.APP

recommended-action-logoRecommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
    FortiClient systems:
  • Quarantine/Delete infected files detected
    Mobile Device:
  • Perform a "hard reset" to restore the phone back to its manufacturer default state
  • If files still remain, delete the Trojan executable manually
    C:\System\SKULLSXSECUREDATA\SKULLSXSECUREDATA\SKULLSSECURITYMANAGER\system\apps\skulls\
    skulls.rsc
    skulls.app
    mod.mdl
    C:\System\SKULLSXSECUREDATA\SKULLSXSECUREDATA\SKULLSSECURITYMANAGER\
    skulls.SIS
    skulls.RSC
    skulls.APP
  • Replace corrupted files from backup

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-04-18 90.01521
ID 9994
Released Dec 03, 2004
Description
Updated		 May 19, 2006
Aliases SymbOS/Skulls, SymbOS/Skulls.A, SymbOS/Skulls.A-tr
Platform Profile Symbian OS