I'n Blog 之萬象真藏

Its propagation vector is an MMS.

The phone issues a warning dialog saying "Application is untrusted and may have problems. Install only if you trust provider".

Once the user opens the MMS, the phone demands the user's permission to install a file. The file has a random name.

The file details can be checked by selecting the "Options" menu option. The file details show that no certificate is available and that the supplier is unknown.

Once the application is installed,


the following files can be found on the file system:

• c:\system\Apps\[random_name].exe : 80912 bytes (79k)
• c:\system\Apps\[random_name].sis : 60008 bytes (59k)
• c:\system\Data\[random_name].exe : 80912 bytes (79k)
• c:\system\Data\[random_name].dat : 8 bytes
• c:\system\Data[random_name].ini : 0 bytes

• c:\system\Install\sex.mp3 : 60008 bytes (59k)
• c:\system\Install\love.rm : 60008 bytes (59k)
• c:\system\Install\beauty.jpg : 60008 bytes (59k)

The virus process can be seen in the process list:

It sends itself as an MMS to phone numbers of the same operator as well as to the phone numbers of the contacts on the infected phone.

The message details can be seen by selecting the appropriate menu option:
or

FortiGate Systems


• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  
  FortiClient Systems
  
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.