09 July 2005
Very interesting pair of trojans
SymbOS/Onehop.A and SymbOS/Bootton.A
 |
Bootton in action |
F-secure have received samples of rather interesting pair of trojans SymbOS/Onehop.A & SymbOS/Bootton.A
The Onehop.A is a trojan that disables most of built in applications and replaces them with a component that causes the device to reboot when executed. Basically this means that when user tries to execute any system application or press the menu button, the device will reboot.
In addition of damaging the phone, the Onehop.A also contains bluetooth functionality by which it searches the first phone it finds and sends the Bootton.A to that device. As the Onehop.A sends copy of Bootton.A not a copy of itself, it does not replicate and thus is not a worm, only a trojan.
As the name suggests, the Onehop.A is capable of infecting devices only one hop away from the original infection, while a real worm is capable of unlimited hops.
The bluetooth functionality of Onehop.A is implemented with modified Cabir. The Onehop.A installs modified Cabir.B, that is not capable of spreading itself and sends copies of Bootton.A instead. The modified cabir is not capable of replication, so it is detected as component of Onehop.A not as a separate malware.
The Bootton.A is almost identical to the Onehop.A with the exception that it does not have the bluetooth functionality. And thus is not capable of affecting other devices,and is different enough to require other name than Onehop.
|
