Mobile malware kills Symbian service

Two new Trojan horse programs threaten to render some Symbian-based mobile phones totally useless.

The programs, Gavno.a and Gavno.b, masquerade as patch files designed to trick users into downloading them, said Aaron Davidson, chief executive officer of SimWorks International, in a telephone interview on Monday.

Although almost identical with Gavno.a, Gavno.b contains the Cabir worm, which attempts to send a copy of the Trojan horse to other nearby Symbian-based phones via short-range wireless Bluetooth technology.

The Gavno Trojans, according to Davidson, are the first to aim at disrupting a core function of mobile phones -- telephony -- in addition to other applications such as text messaging, e-mail and address books. "Gavno will effectively turn a mobile phone into a paperweight," he said.

Gavno.a and Gavno.b are proof-of-concept Trojan horses that "are not yet in the wild," Davidson said. "We were given an anonymous tip to have a look at them, which we've done. They're real."

Even if the Gavno Trojans aren't sophisticated programs, "they could still cause a lot of damage," Davidson said.

Gavno a., which has a size of around 2KB, comes disguised in a SIS (Symbian Installation System) file, called patch.sis. Gava.b, which is slightly larger, is tucked inside the SIS file patch_v2.sis.

Davidson believes the Trojan programs originated in Russia.

The programs affect phones, such as Nokia's 6600 and 7610 models, using Symbian's OS version 7 with the Series 60 graphical user interface, according to SimWorks, which is located in Auckland.

Not affected are Symbian-based phones such as the P900 and P910 from Sony Ericsson Mobile Communications AB and the A925 and 1000 from Motorola Inc. equipped with the graphical user interface from UIQ Technology AB, SimWorks said. Also unaffected are Nokia's 3650 and Siemens' SX1, running Symbian OS version 6.x together with the Series 60 interface.

To fix infected phones, users will need to restore them to their factory settings, resulting in the loss of all personal data, such as phone book and calendar, according to Davidson.

Mobile phone antivirus experts at F-Secure have not come across the Gavno Trojan horses, nor have they received reports or questions from customers, said Mikko Hyppönen, director of antivirus research at Helsinki-based F-Secure. "Even if we haven't located the malware ourselves, we do believe it is out there if SimWorks says it is," Hyppönen said. "Lots of new mobile viruses, worms and Trojan horses are emerging around the world."

In December, SimWorks detected the mobile Trojan horse, MetalGear.a. The program, which masquerades itself as a Symbian version of the Metal Gear Solid game, disables antivirus programs and also installs a version of the Cabir worm identified earlier in the year.