UMU Mobile Security Banner
SymbOS/Kiazha.A
Green Tick UMU Scan protects against this virus.
Threat Level:
Low
Type:
Trojan
SDB Version:
148
SDB Release Date:
05/03/2008
Description Date:
11/03/2008
What does this virus do?
Arriving on your phone disguised as a genuine program installer, this virus monitors SMS messages and upon receipt of an SMS displays a message asking you to pay a fee or your device will not be disinfected. The virus then deletes all the SMS messages on your phone and reboots, repeating every time an SMS arrives. This virus also introduces and runs the following viruses: SymbOS/Beselo.D, SymbOS/CommWarrior.C and SymbOS/SMSSender.B.

SymbOS/Kiazha.A arrives disguised as a SIS installer for an application named “ZN1314”:

It drops the following files:
 
E:\system\Programs\Netqin.exe
E:\system\recogs\Netqins.mdl
E:\system\data\zn1314.db
D:\system\ZN1314\sq.exe
C:\system\Programs\2.txt
C:\system\recogs\rec-f.mdl
C:\system\data\appman.exe – detected as SymbOS/SMSSender.B
E:\system\data\appman.exe – detected as SymbOS/SMSSender.B
C:\system\recogs\appmae.mdl – detected as SymbOS/SMSSender.B
E:\system\recogs\appmae.mdl – detected as SymbOS/SMSSender.B
C:\system\data\appmab.cfg
E:\system\data\appmab.cfg
D:\system\ZN1314\zn.exe – detected as SymbOS/Beselo.D
D:\system\ZN1314\cc.exe – detected as SymbOS/CommWarrior.C

SymbOS/Kiazha.A drops and executes other Symbian malwares (SymbOS/Beselo.D, SymbOS/CommWarrior.C, SymbOS/SMSSender.B) whose payloads play a part in its own Trojan routines. 

SymbOS/Beselo.D and SymbOS/CommWarrior.C executes immediately after installation. 2.txt is a commercial anti-CommWarrior tool. This suggests that SymbOS/Kiazha.A may try to pass itself as an antivirus tool. However, to prevent it from removing its own dropped files, 2.txt has been modified such that it won’t scan or clean known installation paths of CommWarrior. 

Netqin.exe, the main SymbOS/Kiazha.A component, monitors and deletes all incoming and outgoing SMS and MMS messages. appman.exe (SymbOS/SMSSender.B) redirects all intercepted SMS messages to a remote number (13713530003) so that the malware author receives them instead. The remote number is probably located in China. 

The following is an example of an intercepted SMS message. It shows that the message (Umu1) as well as the sender’s name (UMU N6680) and phone number has been captured:

When an SMS message is received, SymbOS/Kiazha.A prompts the following message:

Roughly translated, the message requires the victim to send money to a certain QQ account or the device will not be disinfected. 

sq.exe sends the following message which initiates the creation of a new QQ account for the victim:

* QQ (also known as Tencent QQ) is the most popular free instant messaging computer program in China 

When an SMS message is received, SymbOS/Kiazha.A also displays random messages chosen from the following:









The SymbOS/SMSSender.B component also has the following strings inside its code that plays into the overall extortion theme of SymbOS/Kiazha.A: 

Till end of life
Why not pay us?
 

Manual Disinfection 

  1. Scan your mobile device using UMU Scan and delete all files detected as SymbOS/Kiazha.A, SymbOS/Beselo.D, SymbOS/CommWarrior.C, and SymbOS/SMSSender.B
  2. Reboot your device to kill malware residue processes.
  3. Download a third party File Explorer.
  4. Locate and delete the following files if they exist: 
E:\system\Programs\Netqin.exe
E:\system\recogs\Netqins.mdl
E:\system\data\zn1314.db
D:\system\ZN1314\sq.exe
C:\system\Programs\2.txt
C:\system\recogs\rec-f.mdl
C:\system\data\appman.exe
E:\system\data\appman.exe  
C:\system\recogs\appmae.mdl
E:\system\recogs\appmae.mdl
C:\system\data\appmab.cfg
E:\system\data\appmab.cfg
D:\system\ZN1314\zn.exe
D:\system\ZN1314\cc.exe
Virus Definitions

List of virus definitions
Report a new virus/spyware