New variants of SYMBOS_DOOMED family have been monitored to be up and spreading. They arrive as SIS packages with the names, exoVirusStop 1.69.90.sis and exoVirusStop v2.13.16.sis.
ExoVirusStop is a Mobile Anti-Virus.
Just like other SYMBOS_DOOMED variants, it overwrites critical system files by dropping corrupted copies of the following files.
This will leave the phone inoperable upon boot.
The bundled mobile AV is licensed (to someone, of course!) and said to be working and even eligible for latest updates!
This is new to Symbian malwares that disguise as Mobile Anti-Virus because previous cases are easy to spot if they are fake, cracked version, or just solely malicious.
Mobile AVs generally costs some bucks (except for some trial copies) so don’t be tempted to accept if someone is sending you Mobile AVs for free! Because, you may not know that what you have accepted and installed into your phone is not just a pirated AV! It might have some malicious apps on it. :=(
ExoVirusStop is a Mobile Anti-Virus.
Just like other SYMBOS_DOOMED variants, it overwrites critical system files by dropping corrupted copies of the following files.
- etelsat.dll
- etelpckt.dll
- etelmm.dll
- ETel.dll
This will leave the phone inoperable upon boot.
The bundled mobile AV is licensed (to someone, of course!) and said to be working and even eligible for latest updates!
This is new to Symbian malwares that disguise as Mobile Anti-Virus because previous cases are easy to spot if they are fake, cracked version, or just solely malicious.
Mobile AVs generally costs some bucks (except for some trial copies) so don’t be tempted to accept if someone is sending you Mobile AVs for free! Because, you may not know that what you have accepted and installed into your phone is not just a pirated AV! It might have some malicious apps on it. :=(
Update (Jessie, 10 November 2005 11:50:41)
Upon further analysis the SIS package exoVirusStop 1.69.90.sis was verified to be bundled with a Win32 malware (virusscan 001.exe) which we detect as WORM_CYDOG.B. It also includes an autorun.inf file which targets to execute the copy of WORM_CYDOG.B. The author probably wants to infect Windows users as well. This is the same behavior that SYMBOS_CARDTRP.A manifested.
Fortunately, if you have not rebooted your phone yet you still have a good chance to bring it back to its healthy status (before the infection).
Here are some tips that you can do.
But, if you have rebooted your phone already, your only choice is to reformat your phone. ;=)
Note: Formatting the phone means setting it back to its factory setting (some apps will be erased, contacts, and some other user data). But, this is better than leaving your phone unusable.
Thanks to Loucif Kharouni (AV-EU) for sending this tip. This is based on his actual experience! :=)
How to format nokia (6600, 7610, etc…).
Fortunately, if you have not rebooted your phone yet you still have a good chance to bring it back to its healthy status (before the infection).
Here are some tips that you can do.
- If you know the malicious files added to your phone, You can use a file manager to delete those files. You can download a file manager application if you do not have one.
- You can download Trend Micro Mobile Security, install it, update it, and run it!
But, if you have rebooted your phone already, your only choice is to reformat your phone. ;=)
Note: Formatting the phone means setting it back to its factory setting (some apps will be erased, contacts, and some other user data). But, this is better than leaving your phone unusable.
Thanks to Loucif Kharouni (AV-EU) for sending this tip. This is based on his actual experience! :=)
How to format nokia (6600, 7610, etc…).
- Turn your device off.
- Remove SIM card And MMC card. (actually, not need to remove but, after formatting remember to format memory card and reboot phone) Press “3 + * + CallButton” together.
- Turn your device on while you are pressing the three buttons.
- You should now see “Formatting ..” word on the Screen!
- Leave the buttons now.