Threat Description

Trojan:​SymbOS/Skulls.A

Details

Aliases: Trojan:​SymbOS/Skulls.A, Trojan:​SymbOS/Skulls.A, SymbOS/Skulls
Category: Malware
Type: Trojan
Platform: SymbOS

Summary



A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.



Removal



Disinfection with two Series 60 phones

Download F-Skulls tool from ftp://ftp.f-secure.com/anti-virus/tools/f-skulls.zip or directly with phone http://www.europe.f-secure.com/tools/f-skulls.sis

  • 1. Install F-Skulls.sis into infected phones memory card with a clean phone
  • 2. Put the memory card with F-Skulls into infected phone
  • 3. Start up the infected phone, the application menu should work now
  • 4. Go to application manager and uninstall the SIS file in which you installed the skulls variant
  • 5. Download and install F-Secure Mobile Anti-Virus (http://mobile.f-secure.com) to remove any Cabirs dropped by the Skulls variant
  • 6. Remove the F-Skulls with application manager as the phone is now cleaned

If you have a file manager on the phone that still works

This disinfection method works on a single phone if you have a working third party file manager on the phone.

  • 1. Go to c:\System\apps\appinst and delete:
    • c:\System\apps\appinst
    • c:\System\apps\menu
    • c:\System\apps\mce
  • 2. Open the applications menu
  • 3. Look for web browser, it's icon should still be normal
  • 4. Download F-Secure Mobile Anti-Virus (http://mobile.f-secure.com) for your device
  • 5. Install F-Secure Mobile Anti-Virus
  • 6. Start F-Secure mobile Anti-Virus
  • 7. Scan your device to remove files used to block critical system applications
  • 8. Go to application manager
  • 9. Uninstall "Extended theme.sis"


Technical Details



Trojan:SymbOS/Skulls is distributed in a malicious SIS file named "Extended theme.SIS", allegedly a theme manager for Nokia 7610 smart phone (authored by "Tee-222").

Skulls.A and other Skulls trojans are targeted against Symbian Series 60 devices, but can also affect other Symbian devices, for example Nokia 9500, which is a Series 80 device. However when trying to install Skulls trojan on Nokia 9500, the user will get a warning that the SIS file is not intended for the device, so risk of accidental infection is low.

On installation, the trojan will replace the system applications with non-functional versions, so that all but the phone functionality will be disabled. It will also cause all application icons to be replaced with picture of skull and cross bones; the icons don't refer to the actual applications anymore so none of the phone's normal applications will be able to start.

This basically means that if Skulls is installed, only calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function.

If you have installed Skulls, the most important thing is:

do not to reboot the phone; follow the disinfection instructions in this description.

Installation

Skulls SIS file does not contain any malicious code as such, it is just a Symbian Installation file that installs critical System ROM binaries into C: drive in with exact same names and locations as in the ROM drive.

Symbian operating system has a feature which causes any file that is in C: drive replace file in ROM drive with identical name and location.

The application files installed by Skulls are normal Symbian OS files extracted from the phone ROM. However due to feature in Symbian OS, copying them into correct locations in the device C: drive, causes critical system applications fail to function.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Keep your mobile device protected

F-Secure Mobile Security will keep your mobile device protected on the go and enable you to find it in case you lose it

Learn More