Threat Encyclopedia

SYMBOS_SKULLS.A

Malware type: Symbian

Aliases: SymbOS/Skulls!aif (McAfee), SymbOS.Skulls (Symantec), SYMBOS/Sku.A-aif (Avira),

In the wild: No

Destructive: Yes

Language: English

Platform: Symbian

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This Trojan may affect mobile devices running the Symbian operating system with the Series 60 Platform user interface. However, it particularly targets Nokia 7610 models as it is disguised as a theme manager for the said phone model.

(Note: The Series 60 Platform is licensed by various mobile phone manufacturers including LG Electronics, Lenovo, Nokia, Panasonic, Samsung, Sendo, and Siemens.)

Here are some of the affected mobile phones:

  • Nokia 7650
  • Nokia 7610
  • Nokia 6620
  • Nokia 6600
  • Nokia 3650, 3600
  • Nokia 3660, 3620
  • Nokia N-Gage
  • Panasonic X700
  • Siemens SX1
  • Sendo X

It disables the applications of infected phones and changes the icon of each application into a skull image. It usually arrives as an installation package with the file name EXTENDED THEME.SIS.

Once the file EXTENDED THEME.SIS is installed, it extracts several .APP and .AIF files on the drive C of the phone, which causes most of the phone applications/features to malfunction. These .APP files are application files containing file names of legitimate phone applications usually located in the ROM drive. The .AIF files contain icons with the familiar skull and crossbones image:

Skulls and crossbones icon on Phone Menu

For additional information about this threat, see:

Description created: Nov. 21, 2004 3:38:13 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 1,192,117 Bytes

Initial samples received on: Nov 21, 2004

Details:

This Trojan may affect mobile devices running the Symbian operating system with the Series 60 Platform user interface. However, it particularly targets Nokia 7610 models as it is disguised as a theme manager for the said phone model.

(Note: The Series 60 Platform is licensed by various mobile phone manufacturers including LG Electronics, Lenovo, Nokia, Panasonic, Samsung, Sendo, and Siemens.)

Here are some of the affected mobile phones:

  • Nokia 7650
  • Nokia 7610
  • Nokia 6620
  • Nokia 6600
  • Nokia 3650, 3600
  • Nokia 3660, 3620
  • Nokia N-Gage
  • Panasonic X700
  • Siemens SX1
  • Sendo X

It disables the applications of infected phones and changes the icon of each application into a skull image. It usually arrives as an installation package with the file name EXTENDED THEME.SIS.

Once the file EXTENDED THEME.SIS is installed, it extracts several .APP and .AIF files on the drive C of the phone, which causes most of the phone applications/features to malfunction. These .APP files are application files containing file names of legitimate phone applications usually located in the ROM drive. The .AIF files contain icons with the familiar skull and crossbones image:

Skulls and crossbones icon on Phone Menu

The following are the files installed by the Trojan:

  • C:\System\Apps\About\About.aif
  • C:\System\Apps\About\About.app
  • C:\System\Apps\AppInst\AppInst.aif
  • C:\System\Apps\AppInst\Appinst.app
  • C:\System\Apps\AppMngr\AppMngr.aif
  • C:\System\Apps\AppMngr\Appmngr.app
  • C:\System\Apps\Autolock\Autolock.aif
  • C:\System\Apps\Autolock\Autolock.app
  • C:\System\Apps\Browser\Browser.aif
  • C:\System\Apps\Browser\Browser.app
  • C:\System\Apps\BtUi\BtUi.aif
  • C:\System\Apps\BtUi\BtUi.app
  • C:\System\Apps\bva\bva.aif
  • C:\System\Apps\bva\bva.app
  • C:\System\Apps\Calcsoft\Calcsoft.aif
  • C:\System\Apps\Calcsoft\Calcsoft.app
  • C:\System\Apps\Calendar\Calendar.aif
  • C:\System\Apps\Calendar\Calendar.app
  • C:\System\Apps\Camcorder\Camcorder.aif
  • C:\System\Apps\Camcorder\Camcorder.app
  • C:\System\Apps\CbsUiApp\CbsUiApp.aif
  • C:\System\Apps\CbsUiApp\CbsUiApp.app
  • C:\System\Apps\CERTSAVER\CERTSAVER.aif
  • C:\System\Apps\CERTSAVER\CERTSAVER.APP
  • C:\System\Apps\Chat\Chat.aif
  • C:\System\Apps\Chat\Chat.app
  • C:\System\Apps\ClockApp\ClockApp.aif
  • C:\System\Apps\ClockApp\ClockApp.app
  • C:\System\Apps\CodViewer\CodViewer.aif
  • C:\System\Apps\CodViewer\CodViewer.app
  • C:\System\Apps\ConnectionMonitorUi\ConnectionMonitorUi.aif
  • C:\System\Apps\ConnectionMonitorUi\ConnectionMonitorUi.app
  • C:\System\Apps\Converter\Converter.aif
  • C:\System\Apps\Converter\converter.app
  • C:\System\Apps\cshelp\cshelp.aif
  • C:\System\Apps\cshelp\cshelp.app
  • C:\System\Apps\DdViewer\DdViewer.aif
  • C:\System\Apps\DdViewer\DdViewer.app
  • C:\System\Apps\Dictionary\Dictionary.aif
  • C:\System\Apps\Dictionary\dictionary.app
  • C:\System\Apps\FileManager\FileManager.aif
  • C:\System\Apps\FileManager\FileManager.app
  • C:\System\Apps\GS\GS.aif
  • C:\System\Apps\GS\gs.app
  • C:\System\Apps\ImageViewer\ImageViewer.aif
  • C:\System\Apps\ImageViewer\ImageViewer.app
  • C:\System\Apps\location\location.aif
  • C:\System\Apps\location\location.app
  • C:\System\Apps\Logs\Logs.aif
  • C:\System\Apps\Logs\Logs.app
  • C:\System\Apps\mce\mce.aif
  • C:\System\Apps\mce\mce.app
  • C:\System\Apps\MediaGallery\MediaGallery.aif
  • C:\System\Apps\MediaGallery\MediaGallery.app
  • C:\System\Apps\MediaPlayer\MediaPlayer.aif
  • C:\System\Apps\MediaPlayer\MediaPlayer.app
  • C:\System\Apps\MediaSettings\MediaSettings.aif
  • C:\System\Apps\MediaSettings\MediaSettings.app
  • C:\System\Apps\Menu\Menu.aif
  • C:\System\Apps\Menu\Menu.app
  • C:\System\Apps\mmcapp\mmcapp.aif
  • C:\System\Apps\mmcapp\mmcapp.app
  • C:\System\Apps\MMM\MMM.app
  • C:\System\Apps\MmsEditor\MmsEditor.aif
  • C:\System\Apps\MmsEditor\MmsEditor.app
  • C:\System\Apps\MmsViewer\MmsViewer.aif
  • C:\System\Apps\MmsViewer\MmsViewer.app
  • C:\System\Apps\MsgMailEditor\MsgMailEditor.aif
  • C:\System\Apps\MsgMailEditor\MsgMailEditor.app
  • C:\System\Apps\MsgMailViewer\MsgMailViewer.aif
  • C:\System\Apps\MsgMailViewer\MsgMailViewer.app
  • C:\System\Apps\MusicPlayer\MusicPlayer.aif
  • C:\System\Apps\MusicPlayer\MusicPlayer.app
  • C:\System\Apps\Notepad\Notepad.aif
  • C:\System\Apps\Notepad\Notepad.app
  • C:\System\Apps\NpdViewer\NpdViewer.aif
  • C:\System\Apps\NpdViewer\NpdViewer.app
  • C:\System\Apps\NSmlDMSync\NSmlDMSync.aif
  • C:\System\Apps\NSmlDMSync\NSmlDMSync.app
  • C:\System\Apps\NSmlDSSync\NSmlDSSync.aif
  • C:\System\Apps\NSmlDSSync\NSmlDSSync.app
  • C:\System\Apps\Phone\Phone.aif
  • C:\System\Apps\Phone\Phone.app
  • C:\System\Apps\Phonebook\Phonebook.aif
  • C:\System\Apps\Phonebook\Phonebook.app
  • C:\System\Apps\Pinboard\Pinboard.aif
  • C:\System\Apps\Pinboard\Pinboard.app
  • C:\System\Apps\PRESENCE\PRESENCE.aif
  • C:\System\Apps\PRESENCE\PRESENCE.APP
  • C:\System\Apps\ProfileApp\ProfileApp.aif
  • C:\System\Apps\ProfileApp\profileapp.app
  • C:\System\Apps\ProvisioningCx\ProvisioningCx.aif
  • C:\System\Apps\ProvisioningCx\ProvisioningCx.app
  • C:\System\Apps\PSLN\PSLN.aif
  • C:\System\Apps\PSLN\PSLN.app
  • C:\System\Apps\PushViewer\PushViewer.aif
  • C:\System\Apps\PushViewer\PushViewer.app
  • C:\System\Apps\Satui\Satui.aif
  • C:\System\Apps\Satui\Satui.app
  • C:\System\Apps\SchemeApp\SchemeApp.aif
  • C:\System\Apps\SchemeApp\SchemeApp.app
  • C:\System\Apps\ScreenSaver\ScreenSaver.aif
  • C:\System\Apps\ScreenSaver\ScreenSaver.app
  • C:\System\Apps\Sdn\Sdn.aif
  • C:\System\Apps\Sdn\Sdn.app
  • C:\System\Apps\SimDirectory\SimDirectory.aif
  • C:\System\Apps\SimDirectory\SimDirectory.app
  • C:\System\Apps\SmsEditor\SmsEditor.aif
  • C:\System\Apps\SmsEditor\SmsEditor.app
  • C:\System\Apps\SmsViewer\SmsViewer.aif
  • C:\System\Apps\SmsViewer\SmsViewer.app
  • C:\System\Apps\Speeddial\Speeddial.aif
  • C:\System\Apps\Speeddial\Speeddial.app
  • C:\System\Apps\Startup\Startup.aif
  • C:\System\Apps\Startup\Startup.app
  • C:\System\Apps\SysAp\SysAp.aif
  • C:\System\Apps\SysAp\SysAp.app
  • C:\System\Apps\ToDo\ToDo.aif
  • C:\System\Apps\ToDo\ToDo.app
  • C:\System\Apps\Ussd\Ussd.aif
  • C:\System\Apps\Ussd\Ussd.app
  • C:\System\Apps\VCommand\VCommand.aif
  • C:\System\Apps\VCommand\VCommand.app
  • C:\System\Apps\Vm\Vm.aif
  • C:\System\Apps\Vm\Vm.app
  • C:\System\Apps\Voicerecorder\Voicerecorder.aif
  • C:\System\Apps\Voicerecorder\Voicerecorder.app
  • C:\System\Apps\WALLETAVMGMT\WALLETAVMGMT.aif
  • C:\System\Apps\WALLETAVMGMT\WALLETAVMGMT.APP
  • C:\System\Apps\WALLETAVOTA\WALLETAVOTA.aif
  • C:\System\Apps\WALLETAVOTA\WALLETAVOTA.APP
  • C:\System\Libs\licencemanager20s.dll
  • C:\System\Libs\lmpro.r01
  • C:\System\Libs\lmpro.r02
  • C:\System\Libs\notification.cmd
  • C:\System\Libs\softwarecopier200.dll
  • C:\System\Libs\ZLIB.DLL

The files LMPRO.R01 and LMPRO.R02, which are located in the folder C:\System\Libs, are actually a RAR file split into two. When extracted, the RAR file produces the file T-VIRUS.EXE, which is actually a text file containing the following message:

What is T-VIRUS?
T-VIRUS is not a type of virus, instead it is a system file, specially designed & created for you.
T-VIRUS crashes the main system of your phone, i guess it is the right time for you to go to your service center, or buy a new phone.
Newer & higher version of T-VIRUS, coming soon.
If you have Cabir, feel free to send it to me, i'll appriciate it very much.

 
 
 

Analysis by: Ronald Bautista

Analysis By: Ace Portuguez


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.342.06

Pattern release date: Nov 21, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Trend Micro Mobile Security Solution

Trend Micro has released an integrated solution for mobile devices, which provides automatic, real-time scanning to protect wireless devices against malicious code and viruses on the Web or hidden inside files.

Download the latest Trend Micro Security Solution from this site.

MANUAL REMOVAL INSTRUCTIONS

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as SYMBOS_SKULLS.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on