HOME > VIRUS ALERTS


VIRUS ALERTS

InfoJack Trojan

Original issue date: March 3, 2008

It has been observed that a Windows Mobile Pocket PC Trojan named InfoJack is circulating widely. The trojan propagates pretending to be a legitimate application for stock trading and collection of games which when installed by a user will infects their Mobile device. This Trojan also propagates when an infected memory card is inserted into a new mobile device.

The Trojan gets installed as an autorun program on the memory card of the Windows Mobile and after its successful installation, the Trojan replaces the browser's home page and sends the information of the infected mobile device to a remote website. This information includes serial number, Operating System version, Hostname, User name, Radio hardware information, Radio software information, Subscriber identifier and other information of the infected mobile device.

Trojan InfoJack lowers Windows Mobile application installation security and also has the functionality to update itself through other malwares which gets downloaded to the infected Mobile device as unsigned applications.

Aliases: WCE/Meiti-A [Sophos], WinCE/Infojack [McAfee], Trojan:WinCE/InfoJack [F-Secure]

Upon execution, the Trojan :

  • Creates the following file to ensures it execution on every device startup:
    C:\Documents and Settings\All Users\Start Menu\Programs
    \Startup\mservice.lnk
  • Creates the following files:
    • %Windir%\mservice.exe
    • %ProgramFiles%\Game\Big2\BIG2.exe
    • %ProgramFiles%\Game\Big2\Images.dat
    • %ProgramFiles%\Game\CChecker\CChecker.exe
    • %ProgramFiles%\Game\Go\GNUGo.exe
    • %ProgramFiles%\Game\GoBang\GoBang.exe
    • %ProgramFiles%\Game\Kevtris\Kevtris.exe
    • %ProgramFiles%\Game\Kevtris\240x320.dll
    • %ProgramFiles%\Game\Kevtris\Sounds.dll
    • %ProgramFiles%\Game\Link\GX.dll
    • %ProgramFiles%\Game\Link\Link.dat
    • %ProgramFiles%\Game\Link\Link.exe
    • %ProgramFiles%\Game\Link\Link.sav
    • %ProgramFiles%\Game\Link\ScoreList.sav
    • %ProgramFiles%\Game\Link\Sound\blast.wav
    • %ProgramFiles%\Game\Link\Sound\btnup.wav
    • %ProgramFiles%\Game\Link\Sound\clickcard.wav
    • %ProgramFiles%\Game\Link\Sound\gamefail.wav
    • %ProgramFiles%\Game\Link\Sound\hint.wav
    • %ProgramFiles%\Game\Link\Sound\music.wav
    • %ProgramFiles%\Game\Link\Sound\pass.wav
    • %ProgramFiles%\Game\Link\Sound\shuffle.wav
    • %ProgramFiles%\Game\MaJong\MaJong.exe
    • %ProgramFiles%\Game\SpbMine\records.dat
    • %ProgramFiles%\Game\SpbMine\SPBMine.exe
  • Creates the following registry entries:
    • HKEY_LOCAL_MACHINE\Security\Policies\
      Policies\"0000101a" = "1"
    • HKEY_LOCAL_MACHINE\Windows\Software\ms\
      "[3G]" = "%Windir%\mss.zip"
    • HKEY_LOCAL_MACHINE\Windows\Software\ms\
      "Mssver" = "%Windir%\msf.zip"
    • HKEY_LOCAL_MACHINE\Windows\Software\ms\
      "Favoritesver" = "%Windir%\msa.zip"
    • HKEY_LOCAL_MACHINE\Windows\Software\ms\
      "popconfigver" = "%Windir%\msw.zip"
  • Copies itself to memory cards as the following file on the compromised device:
    • [MEMORY CARD NAME]\2577\autorun.exe
  • Downloads the following files from mobi DOT xiaomeiti DOT com:
    • %Windir%\mss.zip
    • %Windir%\msf.zip
    • %Windir%\msa.zip
    • %Windir%\msw.zip
  • Installs itself as an autorun program on the memory card
  • Replaces the browser’s home page
  • Allows unsigned applications to install without warning
  • Downloads the following file in order to update itself:
    • mservice2.zip
  • Sends the gathered information to the following Web site:
    • mobi DOT xiaomeiti DOT com

In view of rapid propagation of the InfoJack Trojan, users are advised to implement the following countermeasures:

  • Do not install the abovementioned applications from untrusted sites.
  • Exercise caution while downloading and installing applications.
  • Keep up to date anti virus on mobile phones.

 References

http://securityresponse.symantec.com/en/aa/enterprise/
security_response/writeup.jsp?docid=2008-022706-3957-
99&tabid=2

http://vil.nai.com/vil/content/v_144191.htm

http://www.avertlabs.com/research/blog/index.php/
2008/02/26/windows-mobile-trojan-sends-unauthorized-information-and-leaves-device-vulnerable/

http://www.us-cert.gov/current/index.html#microsoft_wince
_trojan

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003