Wednesday, July 08, 2009

Transmitter.C Mobile Malware in the Wild

A currently spreading mobile malware known as Transmitter.C (sexySpace.sisx; MD5: 3e9b026a92583c77e7360cd2206fbfcd), has brandjacked a legitimate application in an attempt to infect the initial number of devices that would later on further disseminate it by aggressively SMS-ing messaged to the web site hosting it - megac1jck .com (64.22.120.235) Email: weijiang198@hotmail.com.

Upon execution it drops the following files in an attempt to infect S60 3rd Edition devices:
"c_sys\bin\Installer_0x20026CA6.exe"-"c:\sys\bin\Installer_0x20026CA6.exe", FR, RI, RW
"c_sys\bin\AcsServer.exe"-"c:\sys\bin\AcsServer.exe", FR, RI
"c_private\101f875a\import\[20026CA5].rsc"-"c:\private\101f875a\import\[20026CA5].rsc
"

What's sad is that just like the majority of mobile malware incidents, this one is also digitally signed using a certificate issued by Symbian to the name of XinZhongLi Kemao Co. Ltd or vendor name "Play Boy".

The sample (Sexy Space or SYMBOS_YXES.B) has been distributed to vendors, and the ISP hosting it has been informed.

Related posts:
Proof of Concept Symbian Malware Courtesy of the Academic World
Commercializing Mobile Malware
Mobile Malware Scam iSexPlayer Wants Your Money
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment