SYMBOS_CARDTRP.A originates in Symbian Series 60 devices, but has the potential to spread to PCs running the Microsoft Windows Operating System. There are two methods by which the mobile device can be infected:
- Receiving the malware manually via Bluetooth or MMS
- Downloading and installing it from the Web
Here’s how it works:
Like many of its predecessors, SYMBOS_CARDTRP.A propagates via Bluetooth (within a10 meter range). The infection then resides in the memory card of the mobile device.
This malware also overwrites normal applications installed on the affected mobile device with malformed copies, thus preventing those applications from working properly.
This malware contains the additional capability to infect Windows-based PCs from the phone. If the user inserts the infected memory card into their PCs card slot, the infection has the potential to infect the PC, then attempts to spread to other PCs from there.
SYMBOS_CARDTRP.A drops the following 4 files into the E: directory (commonly utilized by the memory card):
fsb.exe, detected by Trend Micro as BKDR_BERBEW.Q, attempts to compromise machines and steal password information buburuz.ICO, which masquerades as the icon file for the memory card autorun.inf, which attempts to automatically execute fsb.exe SYSTEM.exe, detected by Trend Micro as WORM_WUKILL.B
When the memory card is inserted into a Windows computer, the file autorun.inf will attempt to execute fsb.exe. Also, though the file
SYSTEM.exe does not contain an automatic startup routine, it has the appearance of a legitimate folder icon in an attempt to lure users into
executing it.
If successfully executed, the malware then launches WORM_WUKILL.B, which attempts to spread the infection to other PCs.
While the potential for infection from SYMBOS_CARDTRP.A is still low at this stage, Raimund Genes, President of Trend Micro European Operations, recommends that it’s prudent for all users to remain vigilant. “This attack is really a proof of concept and may be an indication of a new type of blended threat to come” Genes said. “As mobile threats continue to evolve, it’s likely that we will see further attacks similar to this, but utilizing more robust propagation techniques and therefore carrying a
higher potential for infection.”
Security experts at Trend Micro recommend that users take the following measures to protect against this and other attacks:
- Do not accept any unsolicited application or SMS from anybody you don’t know, particularly if the item was unexpected.
- Only download applications from trusted sites. Even when the site is trusted, verify that the application you are downloading is what you are expecting.
To download a free trial module to protect against this threat, visit www.trendmicro.com/mobilesecurity.