Analysis by: Karl Dominguez

 THREAT SUBTYPE:

Information Stealer

 PLATFORM:

Symbian OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor application monitors the Short Message System (SMS) messages of an affected Symbian phone and forwards the message if the sender is listed in its monitored list. It interprets a specific list of messages as its backdoor commands.

It sends and receives information from a specific phone number. It sends a list of messages to the said number to notify the remote malicious user of the malware's current status.

This spyware may be dropped by other malware.

  TECHNICAL DETAILS

File Size: 74,632 bytes
File Type: PE
Memory Resident: Yes
Initial Samples Received Date: 27 Sep 2010
Payload: Steals information, Compromises system security

Arrival Details

This spyware may be dropped by the following malware:

  • SYMBOS_ZEUSMIT.A

Installation

This spyware creates the following folders:

  • C:\private\20022B8Ea

Dropping Routine

This spyware drops the following files wherein it saves the information it gathers:

  • C:\private\20022B8E\NumbersDB.db
  • C:\private\20022B8E\settings2.dat
  • C:\private\20022B8E\firststart.dat

Other Details

Based on analysis of the codes, it has the following capabilities:

  • It monitors the Short Message System (SMS) messages of an affected Symbian phone and forwards the message if the sender is listed in its monitored list.
  • It interprets the following messages as its backdoor commands:
    • Server ON
    • Server OFF
    • BLOCK ON
    • BLOCK OFF
    • SET ADMIN
    • ADD SENDER
    • ADD SENDER ALL
    • REM SENDER
    • REM SENDER ALL
    • SET SENDER
  • It sends and receives information from the following phone number:
    • +{BLOCKED}1481725
  • It sends any of the following messages to the said number to notify the remote malicious user of the malware's current status:
    • state is On
    • state is Off
    • monitoring all
    • blocking is on
    • blocking is off
    • App installed ok
  • The file C:\private\20022B8E\NumberDB.dat contains the following information:
    • tbl_contact
    • index
    • name
    • descr
    • pb_cont
    • act_id
    • tbl_phone_number
    • contact_id
    • phone_number
    • tbl_history
    • event_id
    • pn_id
    • date
    • description
    • contact_info
    • contact_id

  SOLUTION

Minimum Scan Engine: 8.900

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by SYMBOS_ZBOT.A

    • SYMBOS_ZEUSMIT.A

Step 3

Scan your computer with your Trend Micro product to delete files detected as SYMBOS_ZBOT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 4

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • C:\private\20022B8Ea

Step 5

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.


Did this description help? Tell us how we did.