Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Will SMS Bring You Free Vouchers?

Created: 30 Mar 2010 08:50:42 GMT • Updated: 23 Jan 2014 18:28:37 GMT
Security Response China's picture
0 0 Votes
Login to vote

Symantec Security Response has become aware of multiple reports from mainland China and Hong Kong of an SMS worm targeting the Symbian S60 platform. The worm is detected as SymbOS.Merogo.There are two main reasons that helped the threat in gaining ground. First, China has a strong user base of the S60 platform. Second, the majority of those handset users have not turned on revocation checking, which would have prevented the threat from installing.

Essentially the threat spreads through social engineering, using tricks like “Your friend has sent a picture to you, please click the following link to get it.” Once users click on the link, the threat would proceed to install itself in the compromised phones using a siged certificate (which is currently revoked).
 

The installer package has been reportedly seen in multiple names:

  • [http://]117.135.138.234:8002/meinv.sisx
  • [http://]117.135.138.234:8002/bb9.sisx
  • [http://]117.135.138.234:8002/1013.sisx
  • [http://]117.135.138.234:8002/b13.sisx

But all of these contain same executable:
\ sys\bin\AknMimeInsSrv.exe

At the time of investigation, the URLs above were abandoned, but the threat can still be found  on some application download sites as an image viewer, under the name of 强大的图片浏览器.sisx (Powerful Image View.sisx).

Once executed, the worm will install the following files into the phone:

  • Symbian_S60_System_InsSrv.pkg
  • 非主流0.pkg
  • data\aknmime\config\[a random filename].dat
  • data\aknmime\config\[a random filename].cfg
  • data\aknmime\config\install.dat20
  • Symbian_S60_System_InsSrv\sys\bin\AknMimeInsSrv.exe

The vendor name used by the worm is "Shenzhen Zhuota Advertising Co., Ltd", which may or may not be genuine.


 
We have seen reports that the worm automatically sends similar SMS messages to the contacts stored in the phone, which starts another cycle of spreading and infection. Here are some examples of the text messages that the worm reportedly sends out:

  • 尊敬用户:根据您入网时长, 现返还100元话费下载领取
    (As a loyal customer, you can download a free 100RMB phone voucher from here.)
    http://117.135.138.234:8002/[filename].sisx
  • 您的好友发来照片彩信,请点击收取!
    (Click here to receive the photo MMS from your best friends!)
    http://117.135.138.234:8002/[filename].sisx   
  • 你的朋友发来照片,请到下面地址收取:
    (Your friend has sent you some photos. You can retrieve them here: )
    http://117.135.138.234:8002/[filename].sisx

So, back to our original question “Will SMS bring you free vouchers”? The answer is definitely “NO”. Nevertheless, if you are infected by this worm, don’t panic. Symantec has released the detection signature as SymbOS.Merogo.

------------------------
Thanks Irfan Asrar and Mo Ying for the analysis.