Thanks to F-Secure for alerting us to a new threat to Symbian OS-based cell phones and providing an image of an infected phone .
F-Secure has received isolated reports of this scary-looking virus named Skulls, a.k.a. SymbOS/Skulls. For more details see F-Secure’s analysis of it.
The Skulls file is named «Extended theme.SIS» and claims to be theme manager for Nokia 7610 smart phone, written by «Tee-222». Don’t download it and definitely don’t run it.
Once installed, the smartphone features of the phone will not work, although you will still be able to make simple calls. Your messages, web access, and applications won’t work. Recovery can be difficult. For removal instructions see F-Secure’s instructions.
F-Secure Virus Descriptions : Skulls
[Summary] | [Disinfection] | [Detailed Description] | [Detection]
NAME: Skulls
ALIAS: SymbOS/Skulls, Skulls trojan, extended theme trojan
Summary
Skulls is a malicious SIS file trojan that will replace the system applications with non-functional versions, so that all but the phone functionality will be disabled.
The Skulls SIS file is named «Extended theme.SIS», it claims to be theme manager for Nokia 7610 smart phone, written by «Tee-222».
If Skulls is installed it will cause all application icons to be replaced with picture of skull and cross bones, and the icons don’t refer to the actual applications any more so none of the Phone System applications will be able to start.
This basically means that if Skulls is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function.
If you have installed Skulls, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.
Disinfection
Disinfection
If you have not rebooted the phone after installing «Extended theme.sis»
Currently the only known method of uninstall works if you have some third party file manager installed into your phone.
1. Go to c:\System\apps\appinst and delete
c:\System\apps\appinst
c:\System\apps\menu
c:\System\apps\mce
2. Open the applications menu
3. Look for web browser, it’s icon should still be normal
4. Download F-Secure Mobile Anti-Virus for your device
https://www.europe.f-secure.com/estore/avmobile.shtml
or with mobile itself
https://mobile.f-secure.com
5. Install F-Secure Mobile Anti-Virus
6. Start F-Secure mobile Anti-Virus
7. Scan your device to remove malicious AIF files
8. Go to application manager
9. Uninstall «Extended theme.sis»
If have rebooted the phone or don’t have third party file manager installed
1. Make sure you have Nokia PC-Sync installed and functional
2. Download PC file manager from https://www.epocware.com
3. Using PC file manager delete
c:\System\apps\appinst
c:\System\apps\menu
c:\System\apps\mce
4. Download and install F-Secure Mobile Anti-Virus for your device
https://www.europe.f-secure.com/estore/avmobile.shtml
5. Start F-Secure mobile Anti-Virus
6. Scan your device to remove malicious AIF files
7. Go to application manager
8. Uninstall «Extended theme.sis»
Back to the Top
Detailed Description
Installation to system Skulls SIS file does not contain any malicious code as such, it is just a Symbian Installation file that installs critical System ROM binaries into C: drive in with exact same names and locations as in the ROM drive.
Symbian operating system has a feature which causes any file that is in C: drive replace file in ROM drive with identical name and location.
The application files installed by Skulls are normal Symbian OS files extracted from the phone ROM. The malicious part is in the AIF (Application Info and icon) file which comes with the applications. Instead of correct AIF file the Skulls SIS will install AIF file that has Skulls and crossbones as icon and instead of real application it will point to nowhere.
Spreading in Extended theme.sis
Payload Replaces built in applications with non-functional ones.
Back to the Top
Detection
Detection for this malware was published on November 19th, 2004 in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-11-19_04
Detection for F-Secure Anti-Virus for Symbian series 60 has been published at on November 19th, 2004 in database build number 11.
If you have not enabled automatic updates on your antivirus or used any data connections lately, you can make sure you have the latest updates by selecting «Update Anti-Virus» from the Options menu.
Back to the Top
Write-up: Jarno Niemela November 19th, 2004;