Skulls is a malicious SIS file trojan that will replace the system
applications with non-functional versions, so that all but the
phone functionality will be disabled.
The Skulls SIS file is named "Extended theme.SIS", it claims to
be theme manager for Nokia 7610 smart phone, written by "Tee-222".
If Skulls is installed it will cause all application icons to be
replaced with picture of skull and cross bones, and the icons
don't refer to the actual applications any more so none of the
Phone System applications will be able to start.
This basically means that if Skulls is installed only the calling
from the phone and answering calls works. All functions which need
some system application, such as SMS and MMS messaging, web browsing
and camera no longer function.
If you have installed Skulls, the most important thing is not to
reboot the phone and follow the disinfection instruction in this
description.
The Skulls.A and other Skulls trojans are targeted against Symbian
Series 60 devices, but can affect also other Symbian devices, for
example Nokia 9500, which is a Series 80 device. However when trying
to install Skulls trojan on Nokia 9500, user will get a warning that the
SIS file is not intended for the device, so risk of accidental infection
is low.
1. Install F-Skulls.sis into infected phones memory card with a clean phone
2. Put the memory card with F-Skulls into infected phone
3. Start up the infected phone, the application menu should work now
4. Go to application manager and uninstall the SIS file in which you installed the skulls variant
5. Download and install F-Secure Mobile Anti-Virus to remove any Cabirs dropped by the Skulls variant
http://www.f-secure.com/wireless/download/
or with phone web browser
http://mobile.f-secure.com
6. Remove the F-Skulls with application manager as the phone is now cleaned
If you have a file manager on the phone that still works
This disinfection method works on a single phone if you have a
working third party file manager on the phone.
1. Go to c:\System\apps\appinst and delete
c:\System\apps\appinst
c:\System\apps\menu
c:\System\apps\mce
2. Open the applications menu
3. Look for web browser, it's icon should still be normal
4. Download F-Secure Mobile Anti-Virus for your device
http://www.f-secure.com/wireless/download/
or with mobile itself
http://mobile.f-secure.com
5. Install F-Secure Mobile Anti-Virus
6. Start F-Secure mobile Anti-Virus
7. Scan your device to remove files used to block critical system applications
8. Go to application manager
9. Uninstall "Extended theme.sis"
Installation to system
Skulls SIS file does not contain any malicious code as such, it is
just a Symbian Installation file that installs critical System ROM
binaries into C: drive in with exact same names and locations as
in the ROM drive.
Symbian operating system has a feature which causes any file that is
in C: drive replace file in ROM drive with identical name and location.
The application files installed by Skulls are normal Symbian OS files
extracted from the phone ROM. However due to feature in Symbian OS,
copying them into correct locations in the device C: drive, causes critical
system applications fail to function.
Spreading in
Extended theme.sis
Payload
Replaces built in applications with non-functional ones.
Detection for this malware was published on November 19th, 2004
in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-11-19_04
Detection for F-Secure Anti-Virus for Symbian series 60 has been
published at on November 19th, 2004 in database build number 11.
If you have not enabled automatic updates on your antivirus
or used any data connections lately, you can make sure you have the
latest updates by selecting "Update Anti-Virus" from the Options menu.
