SYMBOS_EXY.A
Information Stealer, Malicious Downloader
Symbian OS
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware may be unknowingly downloaded by a user while visiting malicious websites.
It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
TECHNICAL DETAILS
Arrival Details
This spyware may be unknowingly downloaded by a user while visiting malicious websites.
Autostart Technique
This spyware drops the following files:
- C:\sys\bin\Installer_SV.exe
- C:\sys\bin\LanPackage.exe
- C:\private\101f875a\import\[20028B98].rsc
Download Routine
This spyware then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
Other Details
Based on analysis of the codes, it has the following capabilities:
- Creates the semaphore,EConServerSemaphore_0x20028B98 to ensure that only one instance of itself is running in memory.
- Creates the temporary files: C:\system\data\Local_Para.txt,C:\system\data\Remote_Para.txt,C:\system\data\NotPure.txt,C:\system\data\SisInfo.cfg and C:\system\data\Source.ini
- Gathers information such as phone type, IMEI number, and IMSI number
- It has the following certificate: Issued by Symbian CA I. Subject: Beijing GuoShengMingDao Technology Co. Ltd Issued to LanPackage_5 2.0.0. Valid from 24/08/2009 to 25/08/2019. Issued by VeriSign Testing-Based ACS Root for Symbian OS. Issued to Symbian Limited. Valid from 14/03/2007 to 27/08/2023.
- Silently installs an updated variant by visiting the website, http://{BLOCKED}y.com/Kernel.jsp?Version=2.0&PhoneType={phone type}&PhoneImei={IMEI num}&PhomeImsi={IMSI num}&Source={other parameter}
- Saves and executes the downloaded file as C:\private\20028B98\kel.sisx, which is detected as SYMBOS_YXES.D
- Accesses the website, http://{BLOCKED}y.com/KernelPara.jsp?Version=2.0&PhoneType={phone type}&PhoneImei={IMEI num}&PhomeImsi={IMSI num}&Source={other parameter} to download an encrypted data which is saved as C:\system\data\Kernel_Para.txt.
- Propagates by sending SMS messages with a link to a copy of itself to the list of numbers collected from the phone's contact list.
- Sends the gathered information to the server, http://{BLOCKED}y.com/Jump.jsp?Version=2.0&PhoneType={phone type}&PhoneImei={IMEI num}&PhomeImsi={IMSI num}&Source={other parameter}. The server then replies with a redirection to the website, http://{BLOCKED}pie.com.
- Terminates the following processes if found running in the affected system's memory: AppMngr, TaskSpy, Y-Tasks, ActiveFile, and TaskMan.
SOLUTION
Step 1
Trend Micro Mobile Security Solution
Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.
Download and install the Trend Micro Mobile Security App via Google Play.
Step 2
Search and delete these files
- C:\sys\bin\Installer_SV.exe
- C:\sys\bin\LanPackage.exe
- C:\private\101f875a\import\[20028B98].rsc
Step 3
Scan your computer with your Trend Micro product to delete files detected as SYMBOS_EXY.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.