Home / malware Trojan:SymbOS/Flocker.A
First posted on 23 July 2010.
Source: SecurityHomeAliases :
Trojan:SymbOS/Flocker.A is also known as Symbian.PythonSms.1 (Dr.Web), Trojan-SMS.Python.Flocker.i (Kaspersky), SymbOS/Flocker.B (Panda), Troj/SymbSms-A (Sophos), TROJ_FLOCK.I (Trend Micro), ZvirOK (other).
Explanation :
Trojan:SymbOS/Flocker.A is a trojan that targets mobile devices running Symbian operating system (SymbOS). The trojan is spread as a SymbOS installation package. Once installed on a mobile device the trojan sends unauthorized SMS messages resulting in mobile device account charges.
Top
Trojan:SymbOS/Flocker.A is a trojan that targets mobile devices running Symbian operating system (SymbOS). The trojan is spread as a SymbOS installation package. Once installed on a mobile device the trojan sends unauthorized SMS messages resulting in mobile device account charges. InstallationThis trojan may be installed as a SymbOS EPOC6 SiS installation package having a file size of 330,167 bytes. The package is not signed and is configured to support Chinese language. Upon installation of the package, a user is prompted with the following message: application created
TwoTowers
by [S.M.A.R.T] The trojan components may be present on the mobile device as the following: \System\Apps\ZverOK\ZverOK.app - application to launch "default.py" \System\Apps\ZverOK\default.py - Python script with payload instruction Payload Sends unauthorized messagesOnce installed on a mobile device the trojan sends unauthorized SMS messages to a predefined number. The component "ZverOK.app" launches the script "default.py". The script then sends an unauthorized SMS message containing the string "mumym xxx joker90" to a specific number, resulting in the assessment of mobile device account fees or charges. Additional InformationThe SiS package installs the Python run-time environment to allow the execution of the trojan Python script. The trojan's package is not signed and will not run on SymbOS versions 9 and above due to that operating system's restricted security model.
Analysis by Oleg PetrovskyLast update 23 July 2010