AmatuerForensics-Mobile: USB stick MP3 Player (apparent cross infection)

AmatuerForensics-Mobile: USB stick MP3 Player (apparent cross infection – PC /Mobile PC)……

NOTE this threat installation had tell tale signs of perhaps even the first
Windows Mobile mobile botnet. It was successfully blocked from establishing connection and detected before ever causing any damages and safely removed.

Mobile Threat: FlashMates_(v1[1].0.4)_Setup.exe / which is identified as
Email-Worm.Win32.Apbost!IK [Ikarus antivirus = IK]

PDA Mobile Cafe’s Blog
Mobile PC and everything wireless – cell, pda, laptop
——————————————————————————–

USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile PC) July 24, 2009 by pdamobilecafe
http://pdamobilecafe.wordpress.com/2009/07/24/usb-stick-mp3-player-labled-nextar-apparent-cross-infection-pc-mobile-pc/ 
A USB stick MP3 Player labled Nextar (apparent cross infection – PC / Mobile PC)

Funny thing happened when plugging in (to desktop pc) a USB stick MP3 Player labled Nextar (cross infection) from a friend. Read on.

Possibly a black market relabled fake and there are apparent even criminal
“clone” or “phisher” or “pharmer” sites around emusic.com. Suddenly, an apparent “cross infection” ocuured in the Pocket PC Windows Mobile – a mass emailing worm ! Isn’t that fun (sarcasm).

eMusic – Wikipedia, the free encyclopedia eMusic is an online music store that operates by subscription. It is headquartered in New York City and owned by Dimensional Associates, LLC. … http://en.wikipedia.org/wiki/EMusic

Press Releases – Mi5 Networks Secure Web Gateway Feb 2, 2009 … Detailed reports enable eMusic to quickly identify infected machines on the network, understand the specific types of malware involved and …
http://www.mi5networks.com/news/press/2009_0202-eMusic.com-Selects-Mi5-Networks-in-Favor-of-Solo-Web-Security-Products.htm 

Apparent Open Source Project: eMusic/J 0.25
http://mac.softpedia.com/get/Multimedia/eMusic-J.shtml

Uh Oh…….

Name: Adware.Win32.eMusic Toolbar
http://www.emsisoft.com/en/malware/?Adware.Win32.eMusic+Toolbar

FORENSICS:

FILES Detected…. (apparently instantly – inserting USB MP3 Player)

DESKTOP: (windows xp home)

#emusic.oem

#emusiclogo.gif

#Trys to connect to “malicious host” emusic.com / apparent back door threat ? Blocked. USB Stick removed. Still attempts to connect after PC restarted or using media player(s). Seems a registry hook possible ? Scanned, not found. Looking manually.

SYMPTOMOLGY:

Stick in and out (on desktop). The continuing attempt to re-connect to
“emusic.com” indicates either a registry hook of some sort or worst is a rootkit as not visual in the registry. See the Sony Rootkit nightmare.

#SCANNED – FOUND: MOBILE PC (Windows CE 3.0 / Pocket PC 2002)

Installs apparent mass emailing worm as possible part of “cross infection”:

#FlashMates_(v1[1].0.4)_Setup.exe / which is identified as
Email-Worm.Win32.Apbost!IK [Ikarus antivirus = IK]

SEE Analyzing the Crossover Virus: The First PC to Windows Handheld
Cross-infector http://www.informit.com/articles/article.asp?p=458169&rl=1

NOTES: Adding more if found

The Exercise ? Watch out you didn’t get the real product

—-

SCAN RESULTS:

SCAN RESULTS….

a-squared Anti-Malware v. 4.5.0.19
(C) 2003-2009 Emsi Software GmbH –

ID Object
0 C:\Program Files\Uniblue\System Tweaker\System Tweaker.exe
Backdoor.Win32.Wootbot!IK
1 C:\Documents and
Settings\cbgerry\MyDocuments\POCKETPC-DOXX\FlashMates_(v1[1].0.4)_Setup.exe
Email-Worm.Win32.Apbost!IK

NOTES: The “Email-Worm.Win32.Apbost!IK” is the worm and file name is
“FlashMates_(v1[1].0.4)_Setup.exe”.
(location “POCKETPC-DOXX” caught in dummy folder. It takes two to play games. IK is symbol for Ikarus antivirus)

—-
NOTES: ……
New start up after quarantine and emusic connect attempt blocked again
(antimalware program). A registry hook (originally suspected as cause) generally is involved with one entity (unless multiple), here media players, that is easily detected and deleted. This did show files in two media players (with premium features) and now has jumped to Windows Media Player – which symptomology is as a self replicating worm does, but apparently here – as indeed a rootkit does – is as like a matrix that continually can give various commands (more powerful than a trojan and can continually install more software) and is best best guess of the symptoms experienced. The activity shows the “matrix” (several) commands severally or mutiple times after deletions which is almost as the self replicating worm does when deleted and is reinstalled elsewhere but finally gets deleted by antivirus. This indicates the rootkit activity as quite posible and the infection.

[THESE ARE ALL CLOSED OCT 2009]…..

Visit: PDA Mobile Cafe Homepage
http://www.pdamobilecafe.bluecollarpc.net/index.html
Mobile Portal: http://mysite.verizon.net/gerald_309/id16.html
Forums: http://pdamobilecafe.freeforums.org/

Posted in PDAMobileCafe Blog Alerts, PDAMobileCafe Blog Announcements,
PDAMobileCafe BlogPosts

—-

PDA Antivirus solutions available – shop!
By pdamobilecafe
Security Software: PDA Antivirus solutions available….. shop !

Try a trialware of the products where available. The Mobile Computer is now NO different then the Desktop – all the same threats are now out here. Symbian gets slammed.

PDA ANTI-VIRUS SOLUTIONS :

Security Software: PDA Antivirus solutions available….. shop !

Try a trialware of the products where available. The Mobile Computer is now NO different then the Desktop – all the same threats are now out here. Symbian gets slammed.

PDA ANTI-VIRUS SOLUTIONS :

Air Scanner.com AntiVirus (Free/Private Use, and Company/Corporate License)
http://www.airscanner.com (Also sells PDA Firewall ! )
Online Updates through Active Sync ! From the company that wrote the
best-selling technical book Maximum Wireless Security comes a professional strength virus scanner for the Pocket PC.

BullGuard Mobile for PPC
http://www.bullguard.com/mobile/
Protect yourself against malware when online with your PPC.

ExoVirusStop 1.0.4
http://www.exosyphen.com/
http://downloads-zdnet.com.com/ExoVirusStop/3000-11138_2-10358960.html
http://www.download.com/ExoVirusStop/3000-11138_4-10358960.html
Protect your Symbian series 60 phone against viruses and Trojans, with this
antivirus product. ExoVirusStop brings some new and innovative features, which make this software unique. The file size is small, so it won’t use up your phone’s storage space. Very fast scanning engine takes a few seconds to check your phone for viruses. Virus dictionary allows you to read useful information and details on the viruses that exist for the Symbian OS. Known viruses and their variants: Caribe, Skulls, Mosquitos, Gavno.

F-Secure.com (Pocket PC, Pocket PC 2002, Windows Mobile and PocketPC 2003)
http://www.f-secure.com/wireless/
F-Secure is the forerunner in creating security applications that are optimized for wireless devices and offer reliable and automatic on-device protection. F-Secure Anti-Virus ensures complete protection for your handheld devices. F-Secure also offers security solutions for mobile operators and service providers. Microsoft ActiveSync 3.5 or later to install. The virus definitions of F-Secure Anti-Virus for Pocket PC can also be updated over a wireless connection, such as GSM/GPRS phone, WLAN or Bluetooth connectivity.

ESET Mobile Antivirus for Smartphones
http://www.eset.com/products/
(Eset makes the famed NOD32 Antivirus for PCs)
Mobile devices like Smartphones and PocketPCs are exploding in numbers. Malware that targets them is bound to follow. Detecting and disabling these emerging threats requires sophistication beyond signature-based antivirus. ESET’s heuristics engine is the best protection for individuals and businesses that depend on mobile communication. Fast and thorough scanning keeps your files free of malware and our SMS spam filter keeps your text message folder uncluttered.

Kaspersky Security for PDAs (Palm, PocketPC)
http://www.kaspersky.com/homeuser?chapter=4157432
Today, most of us own not only PCs and laptops, but handhelds as well. They
provide convenient, portable data storage. But this convenience may come at a price. The down side is that handhelds are just as subject to virus infections and data theft as PCs and laptops. They also offer viruses entry to home and business networks alike.

SMobileSystems (FB-4 Virus Guard)
Formerly, FB-4 Virus Guard http://www.fb-4.com
SMobileSystems
http://secure.smobilesystems.com/main/home/index.php
About SMobile Systems….
SMobile is the world leader in providing comprehensive software
security solutions for all major mobile device platforms, including
BlackBerry,Windows Mobile, Symbian, Palm, iPhone and Android.

Avira AntiVir Mobile
Professional virus and malware defense for Pocket PCs and smartphones
http://www.avira.com/en/products/avira_antivir_mobile_3.html
Operating systems: Windows Mobile 2003 for Pocket PC, Windows Mobile
2003 Second Edition, Windows Mobile 5 and Windows Mobile 6.1 (Classic
and Professional Edition) Processors: ARM or Intel x86
MORE:
Nokia 3230, 6260, 6600, 6620, 6630, 6670, 6680, 6681, 6682, 7610, N70 and N72 Panasonic X700 and X800 Samsung SGH-Z600, SGH-D720 and SGH-D730 Nokia Communicator 9300 and 9500

PC-cillin Virus Protection (Full Services- All Downloads ARM,etc.)
http://download.com.com/3000-2239-9649107.html
WebClip: ” Protect your computer and PDA from viruses at home or on the go with PC-Cillin 2003. PC-Cillin combines advanced virus detection and cleaning with an integrated firewall to safeguard your system from hackers and malicious code threats in e-mail and instant messaging and while surfing the Internet. New features such as Wi-Fi protection help secure your computer when connecting to a wireless LAN network, and Outbreak Alert gives you early warning about new viruses.”

PC-cillin Virus/ Wireless2.0 – PalmOS 3.1-up [32k]
Freeware version. Scans all files and identifies any infected. Log report
http://download.com.com/3000-2363-10179689.html?tag=lst-0-1

PC-cillin Virus/ Wireless2.0[MIPS]Windows3.0 [612k]
Freeware version. Scans all files and identifies any infected. Log report (1k,
each scan, deleteable) includes Virus list.
http://download.com.com/3000-2178-10179705.html?tag=lst-0-3

PC-cillin Virus/ Wireless2.0[SH3] Windows3.0[561k]
Freeware version. Scans all files and identifies any infected. Log report (1k,
each scan, deleteable) includes Virus list.
http://download.com.com/3000-2178-10179701.html?tag=lst-0-4

PC-cillinVirus/ Wireless2.0[ARM] Windows3.0 [535k] (PocketPC)
Freeware version. Scans all files and identifies any infected. Log report (1k,
each scan, deleteable) includes Virus list.
http://download.com.com/3000-2178-10179699.html?tag=lst-0-2

Symantec AntiVirusT for Handhelds – Norton
http://www.symantec.com/
Annual subscription anti-virus protection with live Updates for PDA /Palm and PocketPC, others, versions. Works through Sync (HotSync , ActiveSync, etc.). Protects Device and also over wireless internet like WiFi 802.11. Check out Live Updates downloads wirelessly as well. Protects Beam Infrared!

Anti-virus for Symbian Series 60 – now free (ExoVirusStop.com) !!!
Current IT news from heise online – London,UK
Exosyphen Studios has made it’s ExoVirusStop anti-virus software for Symbian Series 60 mobiles
running variants of S60 1st and 2nd Edition free to download. …
http://www.heise-online.co.uk/security/Anti-virus-for-Symbian-Series-60-now-free/news/112439
Anti-virus for Symbian Series 60 – now free
Exosyphen Studios has made it’s ExoVirusStop anti-virus software for Symbian Series 60 mobiles running variants of S60 1st and 2nd Edition free to download –
http://www.exovirusstop.com/
The older S60 1st and 2nd Edition phones include those up to the Nokia N70 and N90. According to the companies blog “there are no strings attached and no catches.”… FULL STORY

————————————

[THESE ARE ALL CLOSED OCT 2009]…..

PDA Mobile Cafe Members Area:
http://www.pdamobilecafe.bluecollarpc.net/members1.html
PDA Mobile Cafe AvantGo Channel (view online):
http://mysite.verizon.net/gerald_309/id16.html
Wireless Help Links:
PDA Mobile Café
http://www.pdamobilecafe.bluecollarpc.net/pdawireless.html
Vista: http://www.bluecollarpc.net/myvistapc.html
BlueCollarPC.Net: http://www.bluecollarpc.net/allwireless1.html
Philly-WiFi Philadelphia Wireless Club:
http://tech.groups.yahoo.com/group/Philly-WiFi/
Yahoo! Groups Links

Tags: airborne, mobile antimalware, mobile antivirus, mobile malware, mobile security

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: