SymbOS/KillPhone.C

Virus Type: Trojan

Threat Level: Low

SDB Version: 236

SDB Release Date: 15.10.2009

SymbOS/KillPhone.C is a higly destructive mobile Trojan program aimed to render the infected phone unusable upon infection. Normal programs related to the phone’s operating system are replaced with corrupted copies of these files.

It may arrive on a phone disguised as a SIS installer for normal applications. It may even display messages such as the following:

When the malicious SIS installer is executed, it overwrites normal application files in the device’s Libs and Programs directories with damaged copies.  Some of the files that are overwritten are the following:

!:\System\Libs\BTManServer.exe

!:\System\Libs\DeviceManagementServer.exe

!:\System\Libs\EComServer.exe

!:\System\Libs\eFile.exe

!:\System\Libs\eKern.exe

!:\System\Libs\EwSrv.exe

!:\System\Libs\FbServ.exe

!:\System\Libs\MmfAudioPolicy.exe

!:\System\Libs\MmfIsaTone.exe

!:\System\Libs\PengcacServ.exe

!:\System\Libs\PengServer.exe

!:\System\Libs\RandSvr.exe

!:\System\Libs\SdpServer.exe

!:\System\Libs\WalletServer.exe

!:\System\Libs\Watcher.exe

!:\System\Libs\WimServer.exe

!:\System\Programs\Agsvexe.exe

!:\System\Programs\AknIconSrv.exe

!:\System\Programs\AknSkinSrv.exe

!:\System\Programs\AlarmServer.exe

!:\System\Programs\AlwaysOnlineStarter.exe

!:\System\Programs\AppRun.exe

!:\System\Programs\ApsExe.exe

!:\System\Programs\BakSrvs.exe

!:\System\Programs\BTServer.exe

!:\System\Programs\c32Exe.exe

!:\System\Programs\c32Start.exe

!:\System\Programs\CalenSvr.exe

!:\System\Programs\CamServerCore.exe

!:\System\Programs\CBSServer.exe

!:\System\Programs\CdlServer.exe

!:\System\Programs\CLKNITZMDLS.exe

!:\System\Programs\CNTSrv.exe

!:\System\Programs\Connmonexe.exe

!:\System\Programs\DataConnectionLogger.exe

!:\System\Programs\DBRecovery.exe

!:\System\Programs\Dnd.exe

!:\System\Programs\DosServer.exe

!:\System\Programs\DRMHelperServer.exe

!:\System\Programs\EDbSrv.exe

!:\System\Programs\eikSrvs.exe

!:\System\Programs\EInfoServer.exe

!:\System\Programs\FaxModem.exe

!:\System\Programs\LogServ.exe

!:\System\Programs\MSexe.exe

!:\System\Programs\Ncnlist.exe

!:\System\Programs\NPAPrivlistener.exe

!:\System\Programs\ObexmtMuiServer.exe

!:\System\Programs\PhoneServer.exe

!:\System\Programs\Sae.exe

!:\System\Programs\SatServer.exe

!:\System\Programs\Schexe.exe

!:\System\Programs\SecEnvInit.exe

!:\System\Programs\SecurityObserver.exe

!:\System\Programs\SharedDataServer.exe

!:\System\Programs\SicServer.exe

!:\System\Programs\SipServer.exe

!:\System\Programs\SRCS.exe

!:\System\Programs\Starter.exe

!:\System\Programs\Sysagx.exe

!:\System\Programs\Sysamob.exe

!:\System\Programs\Systemams.exe

!:\System\Programs\UniPertar.exe

!:\System\Programs\UsbSvr.exe

!:\System\Programs\UsbWatcher.exe

*where ! represents a drive specified by the user during installation

SymbOS/KillPhone.C affects Symbian 2^nd edition devices. 

Other Details

SymbOS/KillPhone.C may also display the following messages:

Manual Disinfection

If the infected phone has been restarted and boot has failed, the only option is to perform a hard reset. This will erase all data stored in the phone’s C drive (including the Phonebook, Calendar, etc.) and restore the phone to its factory settings, (make a copy of relevant information prior to this if required). To perform a hard reset/format on Nokia phones:

1. Turn off the phone.
2. While holding the following buttons down , “Call (green)” + “*” + “3”, turn on the phone
3. Alternatively, key in *#7370# enter – 12345 enter and this will hard reset the phone

After the reset, scan your mobile device using UMU Scan and delete all files detected as SymbOS/KillPhone.C.