F-Secure
Tools
Mobler
Summary
Mobler is a worm that attempts to copy itself to all available writable media (floppy, USB memory, different folders on fixed drives). It also disables certain Windows features and can perform a DoS (Denial of Service) attack.
Additional Details
Installation to the System
After being run, the worm hides the Windows folder (sets a hidden attribute to it) and starts copying itself to different folders on local hard drives, and also to writable media with many different names. The names of the dropped copies of the worm can be "borrowed" from existing files and folders (e.g. windows.exe, system.exe) and can include a user name of an infected computer (e.g. Administrator documents.exe). The worm can also create a copy of itself with the name of Black_Symbian.SIS + Cracked By .exe.
The worm drops several files into the Windows System folder:
In the same folder, the worm creates an archive with the name Black_Symbian.SIS where it stores its executable file together with several additional files. Additionally, the worm creates a file named Black_Symbian.PKG where it lists the contents of the archive.
When active, the worm tries to constantly infect different devices with itself. For example, it constantly tries to copy itself to a floppy diskette and if the floppy drive is empty, it starts to produce constant noise because it is accessed too frequently. (Making for a strange type of sound from the computer.)
Payload
The worm disables Task Manager, Registry tools, viewing of folder options, and disables search. It also does not allow for the start of certain applications and for the running of files from the Start > Run submenu.
Mobler can perform a DoS (Denial of Service) attack on a website named: www.bsi.ac.id.
After being run, the worm hides the Windows folder (sets a hidden attribute to it) and starts copying itself to different folders on local hard drives, and also to writable media with many different names. The names of the dropped copies of the worm can be "borrowed" from existing files and folders (e.g. windows.exe, system.exe) and can include a user name of an infected computer (e.g. Administrator documents.exe). The worm can also create a copy of itself with the name of Black_Symbian.SIS + Cracked By .exe.
The worm drops several files into the Windows System folder:
- autorun.inf - an autostarter file pointing to system.exe file
- black.app - a text file
- black.html - an HTML file with a short message from the virus writer
- black.ico - an icon file
- black.jpg - an image file
- black.txt - a text file
- makesis.exe - a SIS archiver
- system.exe - a copy of the worm
In the same folder, the worm creates an archive with the name Black_Symbian.SIS where it stores its executable file together with several additional files. Additionally, the worm creates a file named Black_Symbian.PKG where it lists the contents of the archive.
When active, the worm tries to constantly infect different devices with itself. For example, it constantly tries to copy itself to a floppy diskette and if the floppy drive is empty, it starts to produce constant noise because it is accessed too frequently. (Making for a strange type of sound from the computer.)
Payload
The worm disables Task Manager, Registry tools, viewing of folder options, and disables search. It also does not allow for the start of certain applications and for the running of files from the Start > Run submenu.
Mobler can perform a DoS (Denial of Service) attack on a website named: www.bsi.ac.id.
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-08-29_01.