F-Secure
Tools
Onehop.A
| Name : | Onehop.A |
| Category: | Malware |
| Type: | Virus |
| Platform: | Win32 |
| Origin: | Syria |
Summary
Onehop.A is a Symbian SIS file Trojan that causes device to
reboot when trying to use system applications and sends copies
to SymbOS/Bootton.A trojan to first device it finds with bluetooth.
In its structure Onehop.A is quite similar to Skulls family
trojans. With the exception that instead of replacing system
files with corrupted binaries,the Onehop.A uses application
that causes device to reboot.
Thus if a device is infected with Onehop.A, pressing menu button
or any system application button the device immediately reboots.
Onehop.A disables most of critical system functions and third party
file managers, so that even if the device wouldn't immediately reboot
it is still unusable before it is disinfected.
In addition of disabling applications on the phone, uses a modified version
of cabir as distribution component for SymbOS/Bootton.A. So that first phone
that is found over bluetooth receives Bootton.A over bluetooth if the user
accepts connection. The modified Cabir that Onehop.A infects the device with
is incapable of spreading, so it is detected as component of Onehop.A not as
separate malware.
Like Skulls.A the Onehop.A replaces the application icons with it's own
icon, this time the icon is a heart icon with the text "I-Love-U"
If Onehop.A is installed only the calling from the phone and answering
calls works. All functions which need some system application,
such as SMS and MMS messaging, web browsing and camera no longer function.
This trojan contains this message:
Saying HELLO From Here (SYRIA)
TO All The WORLD !!!
I Wish U N-Joy UR
Damaged Device ..
U Know, Not all may Read These Words But,
No Problem Bcuz Some will, But even This, Thats The Way I Love U All ...
;-)
Regards,
ThNdRbRd
And this hidden image:
Disinfection
Disinfection with two Series 60 phones
Download F-Skulls tool from ftp://ftp.f-secure.com/anti-virus/tools/f-skulls.zip or directly with phone http://www.europe.f-secure.com/tools/f-skulls.sis
1. Install F-Skulls.sis into infected phones memory card with a clean phone
2. Put the memory card with F-Skulls into infected phone
3. Start up the infected phone, the application menu should work now
4. Press menu button until you get Symbian process menu, look for any applications with heart icon. Kill the application processes with 'C' button.
5. Go to application manager and uninstall the SIS file in which you installed the Onehop.A
6. Download F-Secure Mobile Anti-Virus from http://phoneav.com and activate the Anti-Virus
7. Scan the phone and remove any remaining components of Onehop.A
8. Remove the F-Skulls with application manager as the phone is now cleaned
Download F-Skulls tool from ftp://ftp.f-secure.com/anti-virus/tools/f-skulls.zip or directly with phone http://www.europe.f-secure.com/tools/f-skulls.sis
1. Install F-Skulls.sis into infected phones memory card with a clean phone
2. Put the memory card with F-Skulls into infected phone
3. Start up the infected phone, the application menu should work now
4. Press menu button until you get Symbian process menu, look for any applications with heart icon. Kill the application processes with 'C' button.
5. Go to application manager and uninstall the SIS file in which you installed the Onehop.A
6. Download F-Secure Mobile Anti-Virus from http://phoneav.com and activate the Anti-Virus
7. Scan the phone and remove any remaining components of Onehop.A
8. Remove the F-Skulls with application manager as the phone is now cleaned
Additional Details
Installation to system
Onehop.A is a SIS file that installs small component that resets the device if executed, this component is installed into locations where it replaces system and third party applications.
Onehop.A also installs modified Cabir that it uses to spread SymbOS/Bootton.A, the modified Cabir is not started automatically but will start when device boots.
Spreading in
PhotoID.v3.06_NEW_7610_3230_6630_SMPDA.sis
Payload
Replaces built in and third party applications with component that causes device to reboot when executed.
Uses modified Cabir to spread SymbOS/Bootton.A. The Cabir that Onehop.A is modified so that instead of sending a copy of itself that it generates at
startup. The modified cabir loads SIS file installed by Onehop.A into a location where Cabir expects to find it's own SIS file and starts sending it.
Thus instead of sending copies of itself the modified Cabir sends copies of SymbOS/Bootton.A. The modified Cabir that Onehop.A uses is based on Cabir.B and contains the same replication but as Cabir.B, and is thus capable of sending SymbOS/Bootton.A only to the first phone it finds after reboot.
Onehop.A is a SIS file that installs small component that resets the device if executed, this component is installed into locations where it replaces system and third party applications.
Onehop.A also installs modified Cabir that it uses to spread SymbOS/Bootton.A, the modified Cabir is not started automatically but will start when device boots.
Spreading in
PhotoID.v3.06_NEW_7610_3230_6630_SMPDA.sis
Payload
Replaces built in and third party applications with component that causes device to reboot when executed.
Uses modified Cabir to spread SymbOS/Bootton.A. The Cabir that Onehop.A is modified so that instead of sending a copy of itself that it generates at
startup. The modified cabir loads SIS file installed by Onehop.A into a location where Cabir expects to find it's own SIS file and starts sending it.
Thus instead of sending copies of itself the modified Cabir sends copies of SymbOS/Bootton.A. The modified Cabir that Onehop.A uses is based on Cabir.B and contains the same replication but as Cabir.B, and is thus capable of sending SymbOS/Bootton.A only to the first phone it finds after reboot.