Skulls.AG is a malicious SIS file trojan that will replace the system applications with non-functional versions, so that all but the phone functionality will be disabled. If Skulls is installed it will cause all application icons to be replaced with pictures of skulls, and the icons don't refer to the actual applications any more so none of the Phone System applications will be able to start.
Disinfection with two Series 60 phones
Use F-Skulls to allow for installation of F-Secure Mobile Anti-Virus
Install F-Secure Mobile Anti-Virus
- Install F-Skulls.sis onto the infected phone's memory card with a clean phone
- Put the memory card with the F-Skulls tool into the infected phone
- Start up the infected phone and the application installer should now work
- Go to the application manager and uninstall the SIS file in which you installed the malware
- Download F-Secure Mobile Anti-Virus and activate it
- Scan the phone and remove any remaining components of the malware
- Remove the F-Skulls tool with the application manager as the phone should now be clean
Disinfection for the cases when phone cannot start up
CAUTION! this method will remove all data on the device including calendar and phone numbers:
- Power off the phone
- Hold the following three buttons down - "answer call" + "*" + "3"
- Keep holding down the buttons and power on the phone
- Depending on the model, you will either get text that reads "formatting" or a start-up dialog that asks for the initial phone settings
- Your phone is now formatted and can be used again
Prevent future infections with F-Secure Mobile Anti-Virus
Installation to System
Skulls.AG is a SIS file that installs critical System ROM binaries onto the C: drive. The System ROM files are installed with exactly the same names and locations as in the ROM drive.
The Symbian operating system has a feature which causes any file that is in the C: drive to replace the file in the ROM drive with an identical name and location.
Replaces built in applications with non-functional ones and installs Cabir.B and Cabir.I worms, Blankfont.A trojan and Flexispy.A spying application. Flexispy.A is an application that monitors, records, and reports individual phone usage to a third party. The identity of the third party receiving the Flexispy.A data collected is unknown, however the user account number for the spying application is the same as used in Appdisabler.S.
F-Secure Mobile Anti-Virus for Symbian detects this malware starting from the update build number 9.