is a trojan that affects mobile devices running the Windows CE operating system. It attempts to download and run Trojan:WinCE/MobUn.A
from a remote website. Trojan:WinCE/MobUn.A
sends SMS text messages from an affected mobile device to premium rate numbers, resulting in unexpected and often large telecommunication charges.
may be packaged with popular games such as "Catcha Mouse
"; in the wild this trojan was observed included in an archive named "catcha-mouse-v.1.1.0.cab
". When installed, Trojan:WinCE/MobUn.A
and this trojan downloader are present as the following files:
\Windows\srvupdater.exe - TrojanDownloader:WinCE/MobUn.A
During installation of the trojan, a shortcut file is created in the Windows startup folder named "srvce.lnk
" - this executes Trojan:WinCE/MobUn.A
when the device is started. Trojan:WinCE/MobUn.A will execute TrojanDownloader:WinCE/MobUn.A
TrojanDownloader:WinCE/MobUn.A attempts to contact the following URL to download Trojan:WinCE/MobUn.A:
Upon successfully download of Trojan:WinCE/MobUn.A, it will replace the installed version with the new one and copies itself to the Windows folder as the following:
It then starts the process of Trojan:WinCE/MobUn.A.
Analysis by Wei Li
The following system changes may indicate the presence of this malware: