Worm:SymbOS/HatiHati.A

Classification

Malware

Worm

SymbOS

HatiHati.A

Summary

HatiHati is an alias for a legitimate anti-theft application which suffers from two bugs in the 0.95 beta version of its code, causing worm-like behavior on devices running Symbian Series 60 Second Edition and older. An unauthorized, repackaged version of this flawed version also exists.

Disinfecting using F-Secure Mobile Security

  • Download F-Secure Mobile Security and activate it
  • Scan the phone and remove any components of the malware
  • Reboot the phone to remove memory resident components

Disinfection for cases when phone cannot start up

CAUTION This method will remove all data on the device, including calendar and phone numbers.

  • Power off the phone
  • Hold the following three buttons down - "answer call" + "*" + "3"
  • Keep holding down the buttons and power on the phone
  • Depending on the model, you will either get a text message that reads "formatting" or a start-up dialog that asks for the initial phone settings
  • Your phone is now formatted and can be used again

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The anti-theft application was originally designed to send an SMS alert when it detects a change in the device's SIM card. If the device's MMC card is transferred to a new device however, the first bug in the code causes the application to copy itself onto the new device.

Once installed on the new device, the application considers the SIM card to be changed; the second bug then causes it to send a large number SMS messages to a predefined number, usually +3396003964. This may result in significant financial costs.

Detection of the 0.95 beta version of HatiHati was added to F-Secure Mobile Anti-Virus at the request of the original software author.