Threat behavior
Trojan:WinCE/MobUn.A is a trojan that affects mobile devices running the Windows CE operating system operating system; it sends SMS text messages from an affected mobile device to premium rate numbers, resulting in unexpected and often large telecommunication charges.
Installation
This trojan and another,
TrojanDownloader:Win32/MobUn.A, may be packaged with a popular game such as "
Catcha Mouse". In the wild this trojan was observed included in an archive named "
catcha-mouse-v.1.1.0.cab". When installed, Trojan:WinCE/MobUn.A and its downloader are present as the following files:
\Windows\msservice.exe - Trojan:WinCE/MobUn.A
During installation of the trojan, a shortcut file is created in the Windows startup folder named "
srvce.lnk" - this executes Trojan:WinCE/MobUn.A when the device is started. Trojan:WinCE/MobUn.A will execute
TrojanDownloader:Win32/MobUn.A.
Payload
Sends SMS messages
This trojan attempts to contact the following URL to download the parameters:
The trojan requests parameters using a string "index.php?getstr=param". Below are examples of parameters received from the website.
|
Parameters received:
|
Refers to:
|
|
param1 = 5
param2 = 1
param3 = 1131
param4 = 2011102Libra
param5 =
|
interval between SMS messages
Trojan’s version number
the number to which SMS messages are sent
the text sent in SMS messages
the URL for downloading a new version of the Trojan
|
Upon receiving the parameters, this trojan writes these parameters to a file named “Servicedata.dat”. The trojan then sends SMS messages as instructed in param4 to the number as instructed in param3 on the infected mobile device. The interval between SMS messages is described in param1.
Additional Information
In the parameter list above, "param4" is constructed of numbers and an astrological zodiac sign, such as "2011102Libra" or "2011102Taurus".
Analysis by Wei Li
Prevention
