Forum > General discussions > Other manufacturers > Strange sis received on Nk 6600

F-Secure is currently investigating a new trojan infecting Symbian Series 60 phones - Skulls. Unlike Cabir, this trojan is actually malicious. Symbian must have anticipated this, having recently signed for McAfee's virus protection.

This trojan [SymbOS/Skulls] has been distributed on Symbian shareware download sites as "Extended Theme Manager" by Tee-222. If you see it, don't install it on your phone. It will make you're phone useless and it will prevent it from booting up. Recovery could get tricky, especially if you don't have a third-party file manager software already installed on your phone. The most obvious symptom of the trojan is that the typical programs on the phone won't work any more, and that their icons get replaced with a a picture of a skull.

Anti-virus vendors have spotted a new strain of the "Skulls" Trojan sneaking into Symbian-based cell phones, and this one drops the Cabir worm on the devices.

The latest mutant, Skulls.B, is similar to the Trojan discovered last week in the Nokia (news - web sites) 7610 smart phone, which is powered by the Symbian operating system.

However, while the original "Skulls" Trojan simply disabled the smart-phone functionality on the handset, the new version also infects the device with Cabir, a worm that uses the Bluetooth protocol to copy itself onto devices as far as 30 feet away.

Cabir, which was first discovered in June, is transmitted as an SIS (Symbian Installation System) file and disguised as a Caribe Security Manager utility. It originally appeared as a proof-of-concept virus without a payload.

Anti-virus specialist F-Secure Corp. released an advisory for the new version of "Skulls," which is described as a malicious SIS file Trojan that will replace the system applications with non-functional versions before installing the Cabir worm.

"Unlike Skulls.A, the Skulls.B variant does not show any pop-up messages during install (except the 'Installation security warning—unable to verify supplier' message shown by the operating system)," F-Secure said in the advisory. Also, according to the advisory, the new variant replaces standard application icons with generic ones instead of the skull and cross-bones used by the original Trojan.

Skulls.B is capable of disabling all functions on the phone that require system application, such as SMS and MMS messaging, Web browsing and the built-in camera.

When the original Trojan appeared, U.K.-based Symbian Ltd. said it was investigating the malware, which targets the Nokia 7610 but may affect some other phones using the Series 60 user interface.

Mobile & Wireless Center Editor Carol Ellison says the Skulls Trojan proves that the battle to secure wireless data is stretching to new frontiers. Click here to read her column.

"To be affected by the malware requires a phone user to deliberately install it as an application onto their phone. The malware cannot be installed without repeated user intervention, including ignoring a security warning," the company said in a statement.

"The malware does not appear to have the ability to distribute itself to other phones," it added.

Symbian virus writers have now decided to have another go at this. SimWorks has identified a new variant of the Camtimer/Cabir combo originally included in Skulls b, this time seperate from the Skulls trojan.

The Cabir worm found in Skulls.b was packaged with an application called Camtimer, a piece of free Nokia software. The Camtimer/Cabir.b worm combo (Camtimer.a) packaged with Skulls.b was not pack correctly and the Cabir virus would not auto-start.

This new variant, Camtimer.b has been packaged correctly and so in this version Cabir will auto-start.

The installation file for Camtimer.b is called CAMTIMER.sis.