Tools
Worm:SymbOS/HatiHati.A
Summary
Disinfection
Disinfecting using F-Secure Mobile Anti-Virus
- Download F-Secure Mobile Anti-Virus and activate it
- Scan the phone and remove any components of the malware
- Reboot the phone to remove memory resident components
Disinfection for the cases when phone cannot start up
CAUTION! this method will remove all data on the device including calendar and phone numbers:
- Power off the phone
- Hold the following three buttons down - "answer call" + "*" + "3"
- Keep holding down the buttons and power on the phone
- Depending on the model, you will either get a text message that reads "formatting" or a start-up dialog that asks for the initial phone settings
- Your phone is now formatted and can be used again
Additional Details
HatiHati is an alias for a legitimate anti-theft application which suffers from two bugs in the 0.95 beta version of its code, causing worm-like behavior on devices running Symbian Series 60 Second Edition and older. An unauthorized, repackaged version of this flawed version also exists.
The anti-theft application was originally designed to send an SMS alert when it detects a change in the device's SIM card. If the device's MMC card is transferred to a new device however, the first bug in the code causes the application to copy itself onto the new device.
Once installed on the new device, the application considers the SIM card to be changed; the second bug then causes it to send a large number SMS messages to a predefined number, usually +3396003964. This may result in significant financial costs.
Detection of the 0.95 beta version of HatiHati was added to F-Secure Mobile Anti-Virus at the request of the original software author.