[S60 1st, 2nd Edition] Series 60 just got a virus

ΕΜενα ενας μου το εστελνε συνεχεια και το απερριπτα συνεχεια..Καταλαβα μετα απο ψαξιμο ποιος ηταν...

Με το που βρισκω ευκαιρια λοιπον του στελνω σημειωση..

 

"Αλλου αυτα φιλε μου..Εκει που περνανε,στους ασχετους...

Κοψε τις ανοησιες μην ερθω εκει...."

 

Ενα σας λεω,επρεπε να δειτε τα μουτρα του...

 

:p :p :p

Παντως οι περισσοτεροι που το στελνουν δεν το κανουν επιτηδες... οι περισσοτεροι ειναι infected και ετσι ο ιος πολλαπλασιαζεται και αποσταλεται αυτοματα.

Αρχικό Μήνυμα από το μέλος nervous ( 3 Ιαν. 2005 , 14:59)

 

Αφου δεν εκανες εγκατασταση, τοτε δεν εχεις προβλημα . ;)

 

παιδια να ρωτησω κατι?...εγω ποθ απο λαθος το αποδεχτηκα και εκανα εγκατασταση....στην συνεχειa το εσβησα με το f-cabir....θα εχω προβλημα??

χρειαζεται να κανω format??..... η κατι αλλο?

georgekap1 οχι δεν χρειαζεται να κανεις format αφου ετρεξες το removal tool της F-Secure. :)

ευχαριστω asymvivastε! παντως το 6600 μου δειχνει να ειναι καλα και να μην εχει παθει κατι....το ελπιζω!!.....

Προς ενημερωση ο ιος εχει την μορφη CARIBE.SIS.

Αρχικό Μήνυμα από το μέλος O Tifosi ( 3 Ιαν. 2005 , 15:06)

 

ΕΜενα ενας μου το εστελνε συνεχεια και το απερριπτα συνεχεια..Καταλαβα μετα απο ψαξιμο ποιος ηταν...

Με το που βρισκω ευκαιρια λοιπον του στελνω σημειωση..

 

"Αλλου αυτα φιλε μου..Εκει που περνανε,στους ασχετους...

Κοψε τις ανοησιες μην ερθω εκει...."

 

Ενα σας λεω,επρεπε να δειτε τα μουτρα του...

 

:p :p :p

 

 

Ωραιος ο Tifosi :o :p

Φοβερα θελουν ;)

Αρχικό Μήνυμα από το μέλος O Tifosi ( 3 Ιαν. 2005 , 15:06)

 

ΕΜενα ενας μου το εστελνε συνεχεια και το απερριπτα συνεχεια..Καταλαβα μετα απο ψαξιμο ποιος ηταν...

Με το που βρισκω ευκαιρια λοιπον του στελνω σημειωση..

 

"Αλλου αυτα φιλε μου..Εκει που περνανε,στους ασχετους...

Κοψε τις ανοησιες μην ερθω εκει...."

 

Ενα σας λεω,επρεπε να δειτε τα μουτρα του...

 

:p :p :p

 

 

Με αφορμή το παραπάνω post να σας πω οτι ο χρήστης που σας το στέλνει δεν προσπαθεί να σας κάνει πλάκα! :!:

Aπλά ο ιός κάνει την "δουλειά" του, δηλαδή σε όποια συσκευή με ανοιχτό bt βρίσκει, στέλνει το cabir.

Δεν το κάνει ο χρήστης, αλλά το κινητό αυτόματα, χωρίς να το γνωρίζει ο ίδιος!

Κάτι αντίστοιχο με τον matrix στο IRC, το οποίο δεν μας το στέλνει κάποιος χρήστης αλλά στέλνεται αυτόματα από αυτούς που είναι infected.

Συνεπώς, αντί να βρίζουμε τον άλλον, μπορούμε να έχουμε ένα note έτοιμο που να του λέμε ότι το κινητό του έχει prob ή κάτι ανάλογο.

Όπως κάνουμε και εμείς στο IRC όταν βρίσκουμε άτομα με Matrix.

 

P.S. O Tifosi, προφανώς ο χρήστης που του έστειλες το Note δεν έιχε ιδέα για τι του μιλάς και θα μπορούσε να είναι οποιοσδήποτε ανυποψίαστος κάτοχος series 60, που δεν έχει ακουστά για τον συγκεκριμένο "ιο".

asymvivaste, αυτό είναι το άρθρο...είναι στο site της symbian..

 

November 19th 2004, Symbian press release

 

Information about suspected “Extended Theme” malware

 

 

Symbian takes security issues very seriously and works closely with the security community to develop and integrate the most advanced security features for Symbian OS. Through its co-operation with the security community, Symbian has been made aware of a malware that has been distributed through one or more shareware sites. It is Symbian’s understanding that the malware is no longer being distributed.

 

The malware is targeted at the Nokia 7610 but may affect some other phones using the Series 60 User Interface. Symbian OS phones using the UIQ user interface platform (Sony Ericsson, Motorola, BenQ, Arima) or the NTT DoCoMo FOMA platform (Fujitsu) are believed to be unaffected by this malware.

 

The malware was distributed in an application installation file, (Extended Theme.sis or similarly named), that purports to create new themes (background picture, icons etc) for the Nokia 7610. The trojan has been reported as being distributed as a zipped file called 7610.extended.theme.manager.zip.

 

To be affected by the malware requires a phone user to deliberately install it as an application onto their phone. The malware cannot be installed without repeated user intervention, including ignoring a security warning. The malware does not appear to have the ability to distribute itself to other phones. The malware, once installed, replaces the standard application icons with icons that look like skulls and locks the phone's menu so as to restrict the phone to receiving and making calls.

 

Symbian and Nokia are investigating this matter further and Symbian will update the information below as soon as possible.

 

click here for more information

 

 

 

Extended Theme”malware

 

The malware, a trojan, is hidden in an application installation file, Extended Theme.sis, that purports to create new themes for the Nokia 7610. The trojan has been recorded as being distributed as a zipped file called 7610.extended.theme.manager.zip.

The malware requires a phone user to install it as an application onto their phone. The malware cannot be installed without repeated user intervention and does not appear to be able to distribute itself.

 

Summary information and advice

 

The malware is believed to target the Nokia 7610 and only affect phones using the Series 60 User Interface platform.

 

Phones that use the UIQ user interface platform (Sony Ericsson, Motorola, BenQ, Arima) or the NTT DoCoMo FOMA platform (Fujitsu) are believed to be unaffected by this malware.

 

The only way a phone can be affected by this malware is by the user downloading the malware file, believed to called “extended theme.sis” or “extended theme manager.sis” and installing it on their phone.

 

To install the file the user has to ignore two security warnings.

 

If the user successfully installs the malware, the phone’s functionality may be restricted to the phone receiving and making calls with other.

Symbian's view on malware

 

Symbian takes security issues extremely seriously and works constantly to develop and integrate the most advanced security features for Symbian OS. Symbian believes that mobile security is the responsibility of the entire industry. It requires co-operation and trust – values the Symbian OS open approach encourages.

 

 

Symbian is working closely with handset manufacturers and network operators to educate users on how to avoid installing malware and guide them towards downloading applications from trusted sources only.

 

 

Symbian also provides the required infrastructure for security and works with partners, licensees, network operators and standards bodies to further ensure security needs of the market are met. No system for security can be guaranteed 100%. However, Symbian has measures in place to minimise the potential for a widespread attack focused on Symbian OS phones.

 

 

Symbian has led an industry-wide initiative to develop the Symbian Signed program under which software applications designed for Symbian OS are signed with a tamper-proof digital certificate that validates the identity of the application's developer, thus discouraging the installation of unsigned applications. Symbian anticipates that adoption of Symbian Signed will be widespread and will represent a significant barrier to the distribution of malware.

 

 

Questions and Answers about the extended theme manager trojan and Symbian OS security

 

Q – What is a trojan?

A – A trojan is malware hidden inside other – apparently innocent – software.

 

 

Q – How do I know if my phone is affected by this trojan?

A – If you have downloaded the Extended Theme sis file and have installed it on your Series 60 phone, your phone is at risk.

 

 

Q – How can I avoid my phone being affected by this trojan?

A – Your phone can only be affected if you have downloaded and installed the .sis file onto your Series 60 phone.

 

 

Q – How can I protect my phone from other types of malware?

A – Mobile phone users can protect their phone from harmful applications by following the simple measures:

 

 

Only download applications and content – preferably Symbian Signed – from trusted sources such as network operator or handset manufacturer web portals

 

If your device gives a security warning during installation it means that the content is not Symbian Signed. If this is the case you should consider carefully whether the application or content has been created by a trustworthy source, particularly if you have received the application or content from another phone via infra-red or Bluetooth® wireless technology.

 

 

Q – How is Symbian OS protected from malware?

A – Symbian OS provides a number of elements that make it secure. This includes protection from malware through signature checks and features that enable virus scanners from leading anti-virus vendors.

 

 

Q – Open phones means open to viruses, aren't Symbian OS phones susceptible to viruses?

A – An open programming environment can attract both benevolent and (the very small minority of) malicious developers. Symbian OS minimizes the risk of attack by advanced security within the OS itself and the use of application signing schemes (Symbian’s or those of network operators and licensees) and through the use of virus scanners (produced by partners).

 

 

Q – What is Symbian doing to prevent viruses or trojans in the future?

A – Symbian takes security issues very seriously and works constantly to develop and integrate the most advanced security features for Symbian OS. Symbian believes that mobile security is the responsibility of the entire industry. It requires co-operation and trust – values the Symbian OS open approach encourages. Symbian provides the required infrastructure for security and works with partners, licensees, network operators and standards bodies to further ensure security needs of the market are met. No system for security can be guaranteed 100%. However, Symbian has measures in place to minimize the chance of a widespread attack focused on Symbian OS devices.

 

Symbian OS provides the following elements in security for protection from malware (viruses, trojans, worms, etc):

 

Symbian provides an infrastructure which allows network operators and manufacturers to use application signing (and revocation) for applications which are used on their Symbian devices. This allows the creation of application signing programs which can be used to verify the integrity of applications before allowing their use on the handsets

Symbian has led an industry-wide initiative to develop the Symbian Signed program under which software applications designed for Symbian OS are signed with a tamper-proof digital certificate that validates the identity of the application's developer, thus discouraging the installation of unsigned applications. Symbian anticipates that adoption of Symbian Signed will be widespread and will represent a significant barrier to the distribution of malware

Virus scanners through enabling partners – Symantec, F-Secure, McAfee and other major anti-virus technology vendors.

 

sorry για το μέγεθος του post...

Ε, μπορουσες να δωσεις και link... :o

UPDATED VIRUS WARNING - Διαφορες εκδοσεις του SymbOS.Cabir

 

 

-SymbOS.Cabir.B

 

SymbOS.Cabir.B is a proof-of-concept worm that replicates on Series 60 phones. The worm is a minor variant of SymbOS.Cabir.

 

The only difference is SymbOS.Cabir.B displays the following message after infection:

 

Caribe

 

-SymbOS.Cabir.C

The only differences are:

 

* The worm spreads as ni&ai-.SIS.

* The worm displays the following message after infection:

 

ni&ai-

 

-SymbOS.Cabir.D

 

The only differences are:

 

* The worm spreads as MYTITI.SIS.

* The worm displays the following message after infection:

 

MYTITI

 

-SymbOS.Cabir.E[/b]

SymbOS.Cabir.E is a proof-of-concept worm that replicates on Series 60 phones. The worm is a minor variant of SymbOS.Cabir.

 

The only differences are:

 

* The worm spreads as [YUAN].SIS.

* The worm displays the following message after infection:

 

[YUAN]

 

-SymbOS.Cabir.F

The only differences are:

 

* The worm spreads as skulls.SIS.

* The worm creates MOD.MDL instead of FLO.MDL.

* The worm displays the following message after infection:

 

skulls

 

-SymbOS.Cabir.G

The only differences are:

 

* The worm spreads as Tee222.SIS.

* The worm creates the file 222.MDL instead of FLO.MDL.

* The worm displays the following message after infection:

 

Tee222.SIS

Παιδιά μια ερώτηση.

 

Χθες είμουνα στο rex και συνέχεια 2 κινητά προσπαθούσαν να μου στείλουν ένα αρχείο (όνομα δεν υπήρχε...).

 

Φυσικά επιδή φαντάστηκα ότι μπορεί να είναι ο cabir έλεγα όχι και έκλεινα το κινητό (για αρχή το άφηνα ανοιχτό αλλά στο μη ανακαλύψιμο αλλά αυτό συνέχιζε να στέλνετε!)

 

Αρκετή ώρα αργότερα άνοιξα το bt και θέλησα να δω το όνομα του αρχείου όταν μου ερχόταν ως μήνυμα.

 

Πάτησα yes αλλά δεν έλαβα ποτέ το μήνυμα! :confused:

 

Το θέμα είναι ο ιος άμα πατήσεις yes τρέχει κατευθείαν ή πρέπει να πας απο τα μηνύματα και να τον εγκαταστήσεις?

Παει στα μηνυματα και το εγκαθιστας εσυ Δημητρη... ;)

geia sas paidia

 

exw to F-secure kai eida mesa oti exei epilogi gia live update. prepei na kanw tis ru8miseis kai na mpw mesw tou kinitou mou sto net, i mporw kai na ta katevasw apo to pc kai na ta valw mesa ston fakelo tou antivirus??

 

euxaristw prokatavolika !!! :)

Αρχικό Μήνυμα από το μέλος Woca ( 9 Ιαν. 2005 , 00:08)

 

Παει στα μηνυματα και το εγκαθιστας εσυ Δημητρη... ;)

 

 

Ok, thanks man :)

Αρχικό Μήνυμα από το μέλος panoramix ( 9 Ιαν. 2005 , 00:21)

 

geia sas paidia

 

exw to F-secure kai eida mesa oti exei epilogi gia live update. prepei na kanw tis ru8miseis kai na mpw mesw tou kinitou mou sto net, i mporw kai na ta katevasw apo to pc kai na ta valw mesa ston fakelo tou antivirus??

 

euxaristw prokatavolika !!! :)

 

 

Πρεπει να μπεις απο το κινητο σου και να κανεις update το antivirus οπως κανεις και στο pc σου.

exei kaneis to caribe diot thelw na ton steilw se ena "filo"

Αρχικό Μήνυμα από το μέλος chryant ( 9 Ιαν. 2005 , 17:11)

 

exei kaneis to caribe diot thelw na ton steilw se ena "filo"

 

 

Και αυτος ειναι ωραιος τροπος να τον "εκδικηθεις" ? :worry:

 

Αρχικό Μήνυμα από το μέλος petran (14 Νοέ. 2004 , 19:12)

 

Οι περισσότεροι εδώ μέσα αφιερώνουν πολύτιμο χρόνο συμβάλλοντας στην ενημέρωση του κόσμου σχετικά με τα κινητά τους και βοηθούν στην αντιμετώπιση προβλημάτων. Είμαστε εδώ για να βοηθάμε τους άλλους, όχι για να τους προκαλούμε ζημιές.

 

I couldn't have said this better myself! :)

Νομιζω τα παρακατω δεν εχουν αναφερθει :

 

Skulls.B

 

 

This virus infects symbian phones and does the same as "Skulls".

The only (And big!) difference is, that it spreads like the Cabir worm by bluetooth, making it able to spread by itself without the users permission to install it.

 

To avoid this virus but you bluetooth phone in "Hidden" mode so the Cabir virus cant find it. If you have been infected you will need to hard reset your phone to get rid of it, just like normal "Skulls".

 

================================================

 

 

MGDROPPER

 

 

This virus only infects Symbian devices.

It goes under the name of METAL Gear.sis (Like the famous game Metal Gear Solid) and includes two things.

 

First thing, a trojan called Metal Gear.a which has the job to disable specific installed anti-virus and file browsing applications. After that is done, it installs a version of the already known Cabir worm.

This Cabir worm now has the job to spread the second file included in the .sis file, called SEXXXY.a. If SEXXXY.a gets installed on a phone it will spread to other phones who are in discoverable mode and if installed it will disable the Symbian application button on the phone.

 

In this way it can prevent the user to install any application that can actually help removing the virus!

Αρχικό Μήνυμα από το μέλος asymvivastos (11 Ιαν. 2005 , 20:34)

 

Νομιζω τα παρακατω δεν εχουν αναφερθει :

 

Skulls.B

 

This virus only infects Symbian devices.

It goes under the name of METAL Gear.sis (Like the famous game Metal Gear Solid) and includes two things.

 

First thing, a trojan called Metal Gear.a which has the job to disable specific installed anti-virus and file browsing applications. After that is

 

Παιδιά, εγώ έχω Metal Gear στο τηλέφωνο μου, κανονικό game που το κατέβασα...κάνε γούστο... :blink: :worry:

Αρχικό Μήνυμα από το μέλος sv2evs (11 Ιαν. 2005 , 22:59)

 

Παιδιά, εγώ έχω Metal Gear στο τηλέφωνο μου, κανονικό game που το κατέβασα...κάνε γούστο... :blink: :worry:

 

 

Φιλε μου αν δεν συμβαινει κατι απο αυτα που εχω αναφερει τοτε δεν εχεις να φοβασαι τιποτα. :)

New Worm: Lasco.A

 

Lasco.A is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

 

The Lasco.A is based on the same source as Cabir.H and is very similar to it. The main difference between Cabir.H and Lasco.A is that in addition of spreading with bluetooth, Lasco.A will insert itself to any SIS files it finds in the device.

 

Lasco.A replicates over bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm. When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over bluetooth.

 

When Lasco worm finds another bluetooth device it will start sending infected SIS files to it, as long as the target phone is in range. Like Cabir.H,Lasco.A is capable of finding a new target, after the first one has gone out of range.

 

Please note that Lasco worm can reach only mobile phones that support bluetooth, and are in discoverable mode.

 

http://www.f-secure.com/virus-info/v-pics/cabir_bt_hidden.jpg

 

Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

 

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

 

Disinfection

 

Disinfection

 

F-Secure Mobile Anti-Virus will detect the Lasco.A and delete the worm components. After deleting worm files you can delete this directory: c:\system\symbiansecuredata\velasco\

 

If your phone is infected with Lasco.A and you cannot install files over bluetooth, you can download F-Secure Mobile Anti-Virus directly to your phone

 

1. Open web browser on the phone

2. Go to http://mobile.f-secure.com

3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model

4. Download the file and select open after download

5. Install F-Secure Mobile Anti-Virus

6. Go to applications menu and start Anti-Virus

7. Activate Anti-Virus and scan all files

 

 

 

Detailed Description

 

Replication

 

Lasco.A replicates over bluetooth in velasco.sis file that contains the worm main executable velasco.app, system recognizer marcos.mdl and resource file velasco.rsc. The SIS file contains autostart settings that will automatically execute velasco.app after the SIS file is being installed.

 

The velasco.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.

 

When the Lasco.A worm is activated it will start looking for other bluetooth devices, and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range the Lasco.A will continue searching and infecting other phones.

 

This modification in the replication mechanism, will make it more likely that Lasco.A will spread quickly once in the wild.

 

Infection

 

When the velasco.sis file is installed the installer will copy the worm executables into following locations:

c:\system\apps\velasco\velasco.rsc

c:\system\apps\velasco\velasco.app

c:\system\apps\velasco\flo.mdl

 

When the velasco.app is executed it copies the following files:

flo.mdl to c:\system\recogs

velasco.app to c:\system\symbiansecuredata\velasco\

caribe.rsc to c:\system\symbiansecuredata\velasco\

 

This is most likely done in case user installs the application to memory card, or to avoid user trying to disinfect the worm by uninstalling the original SIS file.

 

Then the worm will recreate the velasco.sis file from worm component files and data blocks that are in velasco.app.

 

After recreating the SIS file the Lasco.A will search for all SIS files in the device, add itself into those files and modify the SIS file header so that the Lasco.A embedded into target SIS files will activate automatically upon install of that SIS file into the device.

Αρχικό Μήνυμα από το μέλος asymvivastos (11 Ιαν. 2005 , 23:19)

 

Φιλε μου αν δεν συμβαινει κατι απο αυτα που εχω αναφερει τοτε δεν εχεις να φοβασαι τιποτα. :)

 

 

Όχι...και έχω βρεθεί πολλές φορές με φίλους που έχουν ανοιχτό το bluetooth και δεν έχουν λάβει τίποτα "παράξενο" απο εμένα... :happy:

 

’ρα μάλλον τζάμπα τρομοκρατήθηκα. :worry:

pedia, exo synexia anikto to bluetooth kai afthn thn bdomada 2fores dektika to CARIBE.SYS den to ekana install , prolava ;) sto ntuku omos.. kiklofoun poloi epitidioi :down:

Αρχικό Μήνυμα από το μέλος JuNiOr (12 Ιαν. 2005 , 10:55)

 

pedia, exo synexia anikto to bluetooth kai afthn thn bdomada 2fores dektika to CARIBE.SYS den to ekana install , prolava ;) sto ntuku omos.. kiklofoun poloi epitidioi :down:

 

 

Φιλε μου οπως ανεφερε και ο johner παραπανω οταν καποιος σου στελνει το caribe δεν παει να πει οτι το κανει επιτηδες.

Αν καποιος το εχει κολλησει ο σκοπος του ιου μετα ειναι να μεταδοθει και σε αλλες bluetooth enabled συσκευες.