Threat Descriptions

Trojan:SymbOS/Kiazha

Classification

Category :

Malware

Type :

Trojan

Platform :

SymbOS

Aliases :

Trojan:SymbOS/Kiazha

Summary

Kiazha is a trojan that operates on Symbian Series 60 2nd Edition devices.

Trojan:SymbOS/Kiazha is a trojan that attempts to ransom money from the user of the device.

It is distributed as a component of Trojan:SymbOS/MultiDropper.A.

Removal

Disinfecting using F-Secure Mobile Security

  • Download F-Secure Mobile Security and activate it
  • Scan the phone and remove any components of the malware
  • Reboot the phone to remove memory resident components

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The following details describe variant Kiazha.A.

Infection

Trojan:SymbOS/Kiazha.A is a Trojan that is dropped onto compromised devices by Trojan:SymbOS/Multidropper.A.

When the trojan is installed, it creates the following files:

  • %DriveLetter%\system\data\appmab.cfg
  • %DriveLetter%\system\data\appman.exe
  • %DriveLetter%\system\data\zn1314.db
  • %DriveLetter%\system\name\name.dat
  • %DriveLetter%\system\Programs\Netqin.exe
  • %DriveLetter%\system\recogs\appmae.mdl
  • %DriveLetter%\system\recogs\Netqins.mdl
  • %DriveLetter%\system\zn1314\sq.exe

Payload

  • Sends an SMS without user permission to the number 17001002.The message will register a new QQ instant messaging account for the user.
  • Forwards SMS messages to the number defined in a data file (appmab.cgf).Messages contain information (Symbian OS version & IMEI etc.) stored in file (name.dat)
  • Deletes any sent or received SMS messages.
  • Displays the offer to fix the user's phone for a small fee.(Warning your handset is infected. Please prepare 50 juan and then contact QQ number QQ766566889)