NEWS FROM THE LAB - Tuesday, March 22, 2005

Three new Symbian trojans in one day Posted by Jarno @ 13:52 GMT

drever_c_message (50k image)

Today we added descriptions for three new Symbian trojans found late monday. Drever.B, Drever.C and Skulls.F.

The Drever.B is a simplified version of Drever.A that attacks only Simworks Anti-Virus, it is likely that Drever.B is actually earlier case than Drever.A, but was found only later.

The Skulls.F is still under analysis, it is detected with generic detection from December 15th 2004, so it's a minor case.

The Drever.C is interesting case as in addition of attacking Kaspersky and Simworks Symbian Anti-Viruses, it also attacks F-Secure Mobile Anti-Virus.

Drever.C tries to damage the bootloader and application binaries of F-Secure Mobile Anti-Virus. However, the F-Secure Mobile Anti-Virus has protection against any attempts to modify it's files so the attack will not succeed.

If Drever.C SIS file is installed into Symbian device with F-Secure Mobile Anti-Virus running in Real-Time scan mode, as it is by default. The installation will terminate when the system installer tries to replace Anti-Virus files.

The hexedited files that Drever.C tries to use to damage F-Secure Mobile Anti-Virus, contain message intended to us.

Please, don't make new antiviruses for my viruses and I stop make
viruses for your antiviruses. My target is Simworks!

Thanks for the warning, but I don't think we are stopping any time soon.