F-Secure Trojan Information Pages : Pbstealer.E [Summary] | [Disinfection] | [Detailed Description] | [Detection] Name: Pbstealer.E Category: Trojan Platform: SymbOS Date of Discovery: January 26, 2005 Summary SymbOS/Pbstealer.E is a trojan application that runs under Symbian Series 60 platform. Pbstealer.E pretends to be utility software that compacts the phone contacts database. Instead of compacting information Pbstealer.E reads the contact information database, and sends the contents as text file to first Bluetooth device it finds. Pbstealer.E is a very close variant to PBStealer.D. Pbstealer.E is a trojan and does not spread by itself, in order to be infected user has to install SIS package that contains Pbstealer.E. Although Pbstealer.E uses Bluetooth for sending phone book data, this data is pure text and cannot infect the receiving device. Disinfection F-Secure Mobile Anti-Virus is capable to detecting and deleting the Pbstealer.E trojan. Pbstealer.E tries to remove itself after sending data over Bluetooth. This self-removal doesn’t always work so it can be also removed by uninstalling it with Symbian application manager. Back to the Top Detailed Description Installation Pbstealer.E spreads in a SIS file. The SIS file contains Pbstealer.E application file and string resource, when the SIS file is installed the Pbstealer.E starts automatically.   Payload When started the Pbstealer.E shows text Compacting your contact(s), step2 Please wait again until done...  While showing the text, the Pbstealer.E reads all contacts information in the phone contact database copies the information to file C:\SYSTEM\MAIL\PHONEBOOK.TXT. In addition of contacts information Pbstealer.E also copies the contents of Notepad and Calendar ToDo database files, but this information is not very readable to receiver as the resulting file contains the databases in binary form. If the Notepad and Calendar are empty it simply fails in execution. After building the text file, Pbstealer.E searches for the first device it finds over Bluetooth and sends the text file to it. When trying to send the file over Bluetooth, the Pbstealer.E uses repeated connection attempts, so that if user answers no, he will get immediately a second connection request. This technique is similar to tactic used by Cabir, except that Pbstealer will give up attempts after one minute and exit. If user of the target phone accepts the Bluetooth transfer, he will receive a text file that contains information copied from the infected phones contacts database. Back to the Top Detection F-Secure Mobile Anti-Virus for Symbian detects this malware starting from the update build number 64. Back to the Top Write-up: Mika Tolvanen Technical Details: Mika Tolvanen, February 7, 2006 F-Secure Corporation