SYMBOS_PBSTEAL.A

Malware type: Symbian

Aliases: Trojan-Spy.SymbOS.Pbstealer.a (Kaspersky), SymbOS/PBsender.a!sis (McAfee), SymbOS.Pbstealer.A (Symantec), SYMBOS/PBStealer.A (Avira), Troj/PBSteal-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Symbian OS Series 60

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This Symbian malware affects mobile devices running the Symbian operating system with the Series 60 Platform user interface. Among the phone models that use this operating system are the following:

  • Nokia 3600
  • Nokia 3620
  • Nokia 3650
  • Nokia 3660
  • Nokia 6600
  • Nokia 6620
  • Nokia 7610
  • Nokia 7650
  • Nokia N-Gage
  • Panasonic X700
  • Sendo X
  • Siemens SX1

This Symbian malware steals critical user information, a routine commonly utilized by spyware applications and some Trojans. It gathers data from the affected phone's phonebook entries, which may contain account numbers, passwords, and the like. It then searches for online Bluetooth devices and, for several seconds, repeatedly attempts to send the data it gathers to the first online device it finds.

Users are therefore advised to protect their devices by installing security software such as Trend Micro Mobile Security, encrypt sensitive information, avoid placing unnecessary information on their mobile phones, and be vigilant about installing questionable applications of uncertain origin.

For additional information about this threat, see:

Description created: Nov. 23, 2005 1:41:17 AM GMT -0800


TECHNICAL DETAILS


File type: EPOC

Memory resident:  Yes

Size of malware: 10,752 Bytes

Initial samples received on: Nov 23, 2005

Payload 1: Steals information

Details:

This Symbian malware affects mobile devices running the Symbian operating system with the Series 60 Platform user interface. Among the phone models that use this operating system are the following:

  • Nokia 3600
  • Nokia 3620
  • Nokia 3650
  • Nokia 3660
  • Nokia 6600
  • Nokia 6620
  • Nokia 7610
  • Nokia 7650
  • Nokia N-Gage
  • Panasonic X700
  • Sendo X
  • Siemens SX1

Once installed on an affected mobile device, this malware attempts to steal contact information from the user's phonebook entries. It saves the data it gathers into the following file:

    C:\SYSTEM\MAIL\PHONEBOOK.TXT

The details of the gathered phonebook entries are organized in the abovementioned file as follows:

Phone Book Stolen
by: lajel 202u
--
Fname: {first name}
Lname: {last name}
Com: {company}
JobT: {job title}
Tlp: {phone number}
Other:
BirthD: {birth date}

While performing its routine, this malware displays the following message:

Compacting your contact(s),step 2

Please wait again
until done...

It may also display the following message:

Phone Book
Compacting
by: lajel 202u

This malware then searches for online Bluetooth devices and, for several seconds, repeatedly attempts to send the file C:\SYSTEM\MAIL\PHONEBOOK.TXT to the first online device it finds. If it successfully sends the said file, this malware displays the following message:

Compacting your contact(s),step 2

Done!!!

The following text strings can be found in this malware's code:

.:: Good artist copy, great artist steal�::.

Analysis By: Jonathan N. San Jose

Updated By: Michael de Leon Lactaotao

Revision History:

First pattern file version: 2.968.01
First pattern file release date: Nov 24, 2005
 
Nov 24, 2005 - Updated Pattern
Nov 28, 2005 - Modified Virus Report

SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 2.969.00

Pattern release date: Nov 24, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

TREND MICRO MOBILE SECURITY SOLUTION

Trend Micro has released an integrated solution for mobile devices, which provides automatic, real-time scanning to protect wireless devices against malicious code and viruses on the Web or hidden inside files.

Download the latest Trend Micro Security Solution from this site.

Running Trend Micro Antivirus

Perform the following solution if you have recently transferred files from your Series 60 phone to your computer. If you are currently running on safe mode, please restart your system normally before performing the following solution.

Scan your system with Trend Micro antivirus and delete files detected as SYMBOS_PBSTEAL.A and. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.