12 December 2005

New Pbstealer variant detected

Pbstealer in action (10x to CALVIN for screens)

NAME:
Pbstealer.C

ALIAS:
SymbOS/SymbOS/Pbstealer.C

There is a slightly changed in PbStealer.c, besides stealing user Phone Book data, it will also steal user “NOTES”, "To-Do" and "Calender" data and compile it into a text file and sent through targeted Bluetooth devices that are in online mode or in active discovery mode.

In the analysis process, it shown that it is capable running on older Symbian phone that running on version 6.1 such as NOKIA 3650\3660\3620\7650\N-GAGE\QD etc but it seems fail to run on Latest Symbian OS v8.0 phones such as NOKIA 6630/6680/6681/N70/N90.

For some user, they might be store their important data such as Credit Card number, ATM card PIN number, Bank Account PIN code and private and confidential company or personal data in the phone.

Therefore, user should always avoid from installing unknown source software into the phone. This is a very good example of Symbian "Spyware" which can steal user data.

This trojan was distributed in an application file and it is spreading in PBCompressor.SIS.

When user try to install this suspicious *.SIS file, the image shown below is screenshoot taken during installation process:

After installation complete, the application has set to run in hidden mode that user
would be surprise no application icon in the menu system but it's actually running in the phone background and sent user data without their confirmation.

This malware will based on the file that generated at c:/System/mail/phonebook.txt and send those compiled data via Bluetooth. Here are some images that user data being compiled into a text file:

By using latest version of CalvinStinger© Symbian Viruses Disinfection Tool or using Symbian Anti-Virus application, updated virus database is a must in order to fully disinfect your phone

Virus found by and analysis report write up by CALVIN on 29th November 2005 ©