New Pbstealer variant detected

Current:

Pbstealer.B

Go back to
NEWS

Stay up to date
Get SF feed

.: Symbian viruses :.

+ Skulls

+ Mabir

+ Locknut

+ Lasco

+ Cabir

+ Cabir.AA

+ CommWarrior.C

.:Related stories:.

+ Phone book stealers

+ Mobile safety at your fingertips!!

+ Number of known Symbian trojans double in one day!!

+ Three new Symbian trojans in one day!!



	Name: Email: Website: Message: ..help..

+ New Pbstealer variant detected :: Pbstealer.B

12 December 2005

New Pbstealer.B variant detected

Pbstealer in action
(10x to CALVIN for screens)

Virus info

NAME:
Pbstealer.B

ALIAS:
SymbOS/SymbOS/Pbstealer.B

Summary

SymbOS/Pbstealer.B is a trojan application that runs under Symbian Series 60 platform. Pbstealer.B pretends to be utility software that compacts the phone contacts database. Instead of compacting information Pbstealer.B reads the contact information database, and sends the contents as text file to first bluetooth device it finds.

PBStealer.B is a close variant to PBStealer.A, about the only differences to PBStealer.A are that PBStealer.B copies additional contact entry fields and users Notes and ToDo entries to the file it sends over bluetooth

Pbstealer.B is a trojan and does not spread by itself, in order to be infected user has to download SIS installation package that contains Pbstealer.B. So while Pbstealer.B uses bluetooth for sending phone book data, this data is pure text and cannot infect the receiving device.

Disinfection

F-Secure Mobile Anti-Virus is capable to detecting and deleting the Pbstealer.B trojan. But Pbstealer.B can be simply removed by uninstalling it with Symbian application manager

Payload

When started the Pbstealer.B shows text

Compacting your contact(s), step2

Please wait again
until done...

While showing the text, the Pbstealer.B reads all contacts information in the phone contact database copies the information to file C:\SYSTEM\MAIL\PHONEBOOK.TXT. In addition of contacts information PBStealer.B also copies the contents of Notepad and Calendar ToDo database files, but this information is not very readable to receiver as the resulting file contains the databases in binary form.

After building the text file, Pbstealer.B searches for the first device it finds over bluetooth and sends the text file over Bluetooth.

When trying to send the file over bluetooth, the Pbstealer.B uses repeated connection attempts, so that if user answers no, he will get immediately a second connection request. This technique is similar to tactic used by Cabir, except that Pbstealer will give up attempts after one minute and exit.

If user of the target phone accepts the bluetooth transfer, he will receive a text file that contains information copied from the infected phones contacts database.

Detection

Generic detection for Doomboot.G for F-Secure Mobile Anti-Virus has been published at on September 7th, 2005 in database build number 48.

Write-up: Jarno Niemela October 8th, 2005

F-Secure Corporation

Source: F-secure

Author: Apocalypso ft. CALVIN

-=[ Click Here To Have Your Say On This Story ]=-

Back to news..