Follow:

 

TrojanDownloader:WinCE/MobUn.A


TrojanDownloader:WinCE/MobUn.A is a trojan that affects mobile devices running the Windows CE operating system. It attempts to download and run Trojan:WinCE/MobUn.A from a remote website. Trojan:WinCE/MobUn.A sends SMS text messages from an affected mobile device to premium rate numbers, resulting in unexpected and often large telecommunication charges.

Threat behavior

TrojanDownloader:WinCE/MobUn.A is a trojan that affects mobile devices running the Windows CE operating system. It attempts to download and run Trojan:WinCE/MobUn.A from a remote website. Trojan:WinCE/MobUn.A sends SMS text messages from an affected mobile device to premium rate numbers, resulting in unexpected and often large telecommunication charges.
Installation
TrojanDownloader:WinCE/MobUn.A may be packaged with popular games such as "Catcha Mouse"; in the wild this trojan was observed included in an archive named "catcha-mouse-v.1.1.0.cab". When installed, Trojan:WinCE/MobUn.A and this trojan downloader are present as the following files:
 
\Windows\msservice.exe - Trojan:WinCE/MobUn.A
\Windows\srvupdater.exe - TrojanDownloader:WinCE/MobUn.A
 
During installation of the trojan, a shortcut file is created in the Windows startup folder named "srvce.lnk" - this executes Trojan:WinCE/MobUn.A when the device is started. Trojan:WinCE/MobUn.A will execute TrojanDownloader:WinCE/MobUn.A.
Payload
TrojanDownloader:WinCE/MobUn.A attempts to contact the following URL to download Trojan:WinCE/MobUn.A:
 
  • mobileunit.ru
 
Upon successfully download of Trojan:WinCE/MobUn.A, it will replace the installed version with the new one and copies itself to the Windows folder as the following:
 
\Windows\msservice.exe - Trojan:WinCE/MobUn.A
 
It then starts the process of Trojan:WinCE/MobUn.A.
 
Analysis by Wei Li

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files on the Windows CE device:
    \Windows\msservice.exe
    \Windows\srvupdater.exe

Prevention


Alert level: Severe
First detected by definition: 1.99.623.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 04, 2011
This entry was first published on: Mar 14, 2011
This entry was updated on: May 06, 2011

This threat is also detected as:
  • TR/Dldr.WinCE.MobUn.a (Avira)
  • WinCE.Serv.2 (Dr.Web)
  • Trojan-Downloader.WinCE.MobUn.a (Kaspersky)
  • Troj/MobUn-A (Sophos)
  • Trojan.DL.WinCE.MobUn.A (VirusBuster)