New Cell Phone Malware Packs Double Punch

By Ryan Naraine  |  Posted 2005-01-11 Print this article Print

Based on the Cabir source code, the newest Symbian malware is both a virus and worm, researchers warn.

Anti-virus researchers have issued warnings for yet another strain of malware affecting Symbian smart phone devices, the latest using a combination of tactics to spread.

Less than a month after the detection of the "Skulls" Trojan dropping copies of the Cabir virus on Symbian-based cell phones, another mutant has appeared that is both a virus and a worm, F-Secure warned in an advisory.

"[This one] combines two spreading tactics, which is common in PC malware but previously unheard of in mobile systems," the Helsinki, Finland-based F-Secure said.

The malware, named Lasco.A, spreads itself by searching all SIS installation files in the infected device, and inserts itself as an embedded SIS file into them.

Like the previously released Cabir, Lasco.A is a worm that runs in Symbian mobile phones that support the Series 60 platform. The two worms are based on the same source code and replicate over Bluetooth connections.

F-Secure said Lasco.A arrives to the phones messaging inbox as a velasco.sis file that contains the worm. When a user installs the velasco.sis file, the worm activates and starts looking for new devices to infect over the Bluetooth protocol.

"When Lasco.A worm finds another Bluetooth device it will start sending infected SIS files to it, as long as the target phone is in range. Like Cabir.H, Lasco.A is capable of finding a new target, after the first one has gone out of range," the alert said. Click here to read about another Trojan aimed at devices using the Symbian operating system. Russian security research outfit Kaspersky Labs also issued an advisory for Lasco.A, warning that the file infection functionality should be taken seriously.

"Upon execution, the virus searches for nearby Bluetooth devices (those which are in discoverable mode) and tries to transmit itself to any accessible ones. It also initiates a drive-wide scan for SIS-files and tries to infect them by inserting virus code directly into an SIS archive," the Kaspersky Labs warning said.

The company said the worm appears to originate from the same author of the most recent versions of Cabir.

The source code for Cabir was posted on the Internet late last month by a member of an international virus-writing group.

"Lasco.A has been developed in two ways: one is an application for the Win32 platform, which infects SIS files, and the other is for the Symbian platform," the company warned.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel