Will SMS Bring You Free Vouchers?
Symantec Security Response has become aware of multiple reports from mainland China and Hong Kong of an SMS worm targeting the Symbian S60 platform. The worm is detected as SymbOS.Merogo.There are two main reasons that helped the threat in gaining ground. First, China has a strong user base of the S60 platform. Second, the majority of those handset users have not turned on revocation checking, which would have prevented the threat from installing.
Essentially the threat spreads through social engineering, using tricks like “Your friend has sent a picture to you, please click the following link to get it.” Once users click on the link, the threat would proceed to install itself in the compromised phones using a siged certificate (which is currently revoked).
The installer package has been reportedly seen in multiple names:
But all of these contain same executable:
At the time of investigation, the URLs above were abandoned, but the threat can still be found on some application download sites as an image viewer, under the name of 强大的图片浏览器.sisx (Powerful Image View.sisx).
Once executed, the worm will install the following files into the phone:
- data\aknmime\config\[a random filename].dat
- data\aknmime\config\[a random filename].cfg
The vendor name used by the worm is "Shenzhen Zhuota Advertising Co., Ltd", which may or may not be genuine.
We have seen reports that the worm automatically sends similar SMS messages to the contacts stored in the phone, which starts another cycle of spreading and infection. Here are some examples of the text messages that the worm reportedly sends out:
(As a loyal customer, you can download a free 100RMB phone voucher from here.)
(Click here to receive the photo MMS from your best friends!)
(Your friend has sent you some photos. You can retrieve them here: )
So, back to our original question “Will SMS bring you free vouchers”? The answer is definitely “NO”. Nevertheless, if you are infected by this worm, don’t panic. Symantec has released the detection signature as SymbOS.Merogo.
Thanks Irfan Asrar and Mo Ying for the analysis.