Classification

Category :

Malware

Type :

-

Aliases :

Mquito, SymbOS/Mquito, Trojan.Mquito, SymbOS/QDial26

Summary

Trojan.Mquito is cracked version of game that runs on Symbian Series 60 devices. The game contains functionality that will send SMS message to certain number each time when the game is started.

Removal

Disinfection with Anti-Virus for Symbian OS

F-Secure Anti-Virus for Symbian Series 60 detects the game binary and prevents it from executing. You can delete the game file by instructing Anti-Virus to delete detected files.

Uninstall the game with Symbian Application manager

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The Trojan.Mquito is not a trojanized version of the game, the hidden SMS functionality was put in the game from the beginning by the original manufacturer.

This functionality was supposed to be some kind of a copy-protecting technique, but it didn't work right and the whole functionality backfired.

According to the manufacturer, the premium rate contract for the receiving phone numbers has been terminated, so although old versions of the game still send hidden SMS messages, it only costs the nominal fee of sending the message itself.

Current versions of this game no longer have this hidden functionality, but "cracked" versions of Mosquitos still float in P2P network - and they still send these messages.

The SMS sending version of the game can still be identified by the message it shows when the game starts.

The original version will display following text, which varies a bit depending on the region.

UK VERSION This version is for the UK market only and does not work
 outside the United Kingdom. Pirate copies are illegal and offenders
 will be prosecuted.

The trojan version will display following modified text:

FREE VERSION This version has been cracked by SODDOM BIN LOADER
 No rights reserved. Pirate copies are illegal and offenders will
 have lotz of phun!!!

The difference in message has been done by modifying strings inside the game binary. The difference in the messages is the only difference between cracked and original version that we have been able to determine.

Needless to say that the 'trojan' version of the game can be found only from pirated sources. So installing such program is not recommended in the first place, as any copy that contains the SMS routine is an illegal copy.

Installation to system

The game is downloaded in Symbian installation SIS package, from where user has to install the the game manually.

Spreading in

The Mquito is distributed as cracked version of game Mosquitos in pirate channels, such as P2P file share networks.

Payload

When the Mquito is run it will show the dialog containing message from cracker and send SMS message to premium rate number. After sending the message the game will start normally.

The SMS sending routine is built into the binary by game developers, not inserted by crackers

The message is sent only when the game starts, and the sending routine will not be called before the Mquito is started second time.