F-Secure Malware Information Pages: Worm:SymbOS/HatiHati.A

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Worm:SymbOS/HatiHati.A

[Summary] \| [Disinfection] \| [Detailed Description]
Name :	Worm:SymbOS/HatiHati.A
Alias:	HatiHati.A
Type:	Worm
Category:	Malware
Platform:	SymbOS

Radar

Summary

HatiHati.A is a worm-like application that spreads via MMC cards.

Once the worm copies itself to a new device, it starts sending a very high volume of SMS messages to a predefined number.

In most instances, the number to which HatiHati.A is attempting to send is +3396003964.

Back to the Top

Disinfection

Disinfecting using F-Secure Mobile Anti-Virus

Download F-Secure Mobile Anti-Virus from http://f-secure.mobi
and activate the Anti-Virus
Scan the phone and remove any components of the malware
Reboot the phone to remove memory resident components

Disinfection for the cases when phone cannot start up
CAUTION! this method will remove all data on the device including calendar and phone numbers:

Power off the phone
Hold the following three buttons down - "answer call" + "*" + "3"
Keep holding down the buttons and power on the phone
Depending on the model, you will either get text that reads "formatting" or a start-up dialog that asks for the initial phone settings
Your phone is now formatted and can be used again

To prevent future infections, please download F-Secure Mobile Anti-Virus from here: http://f-secure.mobi.

Back to the Top

Detailed Description

Detection of HatiHati.A is based on commercial anti-theft software for Symbian Series60 phones. It was not authored with malicious intent. HatiHati is an alias.

The application's code, version 0.95 beta, suffers from two bugs that cause worm-like behavior. There also exists an unauthorized version of the beta that has been repackaged.

The anti-theft software sends an SMS alert when it detects a change in the installed phone's SIM card. Flaws in the code of version 0.95 cause the application to copy itself from an MMC card to any new phone in which the MMC card is inserted. Once installed on the new phone, the application considers the SIM card to be changed.

HatiHati.A then begins to send SMS alerts. The second bug in the code causes thousands of SMS alerts to be sent. This can result in a significant financial cost to the phone's owner.

Detection of HatiHati version 0.95 beta was added to F-Secure Mobile Anti-Virus at the request of the original software author.

HatiHati.A affects phones running Symbian S60 2nd Edition and older, which means that the most recent device affected is the Nokia N72.

If you are running F-Secure Mobile Anti-Virus and are notified of HatiHati.A detection, please make sure your anti-theft software is up to date. If you are using the unauthorized repacking of HatiHati.A, you should delete the application.

Back to the Top

F-Secure Corporation

Last Modified: December 05, 2007