El virus WinCE/InfoJack se introduce en los dispositivos móviles con el objetivo de instalar archivos no deseados y robar información de los usuarios.Los móviles tampoco se libran de los virus. Los investigadores han descubierto un troyano que se dirige a los teléfonos móviles con sistema operativo Windows Mobile de Microsoft. Este troyano, el WinCE/InfoJack, instala archivos no deseados y roba información de los usuarios, además de dejar a los teléfonos vulnerables a las infecciones de malware.
Jimmy Shah, investigador de McAfee, informa de que el troyano cambia los ajustes de seguridad del telefono al nivel más bajo, de forma que abre la puerta a otros troyanos tipo malware, varios troyanos empaquetados, sin que el usuario lo pueda percibir. Según el EE.UU. Computer Emergency Response Team (US-Cert) el propio troyano, que cambia la página principal de la web del usuario, se defiende y no puede ser borrado.
La carga envenenada está oculta dentro de otras descargas de la web que sí son legítimas. De esta manera va infectando las aplicaciones que afectan a la página principal y a otras aplicacionescomo Google Maps, informa Vnunet.com.
La página web de China de donde salió este troyano ya ha sido inutilizada, pero US-Cert recomienda instalar y mantener el software antivirus y desconfiar de las aplicaciones que se instalan en sus telefonos móviles.
La información de cómo remover este virus de los ordenadores pueden conseguirla en esta página, pero está en ingles:
Virus Profile: WinCE/Infojack
Name:
WinCE/Infojack
Risk Assessment
- Home Users:
Low
- Corporate Users:
Low
Date Discovered:
27/02/2008
Date Added:
27/02/2008
Origin:
N/A
Length:
75,776
Type:
Trojan
SubType:
Worm
DAT Required:
5240
Virus Characteristics
WinCE/InfoJack is distributed in a file named "小游戏1. cab".
WinCE/InfoJack is installed with a collection of legitimate games
Name:
WinCE/Infojack
Risk Assessment
- Home Users:
Low
- Corporate Users:
Low
Date Discovered:
27/02/2008
Date Added:
27/02/2008
Origin:
N/A
Length:
75,776
Type:
Trojan
SubType:
Worm
DAT Required:
5240
Virus Characteristics
WinCE/InfoJack is distributed in a file named "小游戏1. cab".
WinCE/InfoJack is installed with a collection of legitimate games
WinCE/InfoJack installs to the handset and any installed memory card. The following files will be installed:
\Windows\mservice.exe
\Windows\setup.cfg
\Windows\StartUp\mservice.lnk
\Windows\mservice.exe
\Windows\setup.cfg
\Windows\StartUp\mservice.lnk
WinCE/InfoJack installs silently along with other applications
\Windows\mservice.exe run after installation. The shortcut in \Windows\StartUp also causes it to run at every reboot.
\Windows\mservice.exe run after installation. The shortcut in \Windows\StartUp also causes it to run at every reboot.
WinCE/InfoJack is set to run on startup
WinCE/InfoJack modifies a value under the registry key HKLM \Security\Policies\Policies\ to disable the unsigned application prompt. This allows it to install an update without the user being prompted for permission.
WinCE/InfoJack modifies a value under the registry key HKLM \Security\Policies\Policies\ to disable the unsigned application prompt. This allows it to install an update without the user being prompted for permission.
It copies itself to:
\Windows\Autorun\存储卡2\autorun.exe
\存储卡\2577\autorun.exe
\Windows\Autorun\存储卡2\autorun.exe
\存储卡\2577\autorun.exe
WinCE/InfoJack installs as an autorun program on the memory card
When \Windows\mservice.exe is deleted, it is recreated.
WinCE/InfoJack only affects devices whose default language is Simplified Chinese. It will check the default language on device. If the default language is not Simplified Chinese, it will quit.
When \Windows\mservice.exe is deleted, it is recreated.
WinCE/InfoJack only affects devices whose default language is Simplified Chinese. It will check the default language on device. If the default language is not Simplified Chinese, it will quit.
WinCE/InfoJack attempts to download an update file named mservice2.zip. As the update web server is no longer active, the update file could not be analyzed.
WinCE/InfoJack modifies the value of the registry key HKLM\Software\Microsoft\Internet Explorer\AboutURLs to file:///windows/msw/index.html.
WinCE/InfoJack steals user and operating system information and sends it to the update server. The information includes IMEI, Major version, Minor version, Build number, Screen width and height, Memory, UILanguage and LangID, Model and Platform. It also sets a timer to send the device information. The update server is no longer active so the information will not be received by the malware author(s)
WinCE/InfoJack creates several threads and registers notifications to monitor changes to the device, such as if a memory card is inserted.
WinCE/InfoJack appears to include SMS functionality. No SMS were sent during testing.
1Little Games
1Little Games
2Memory Card
Indications of Infection
Modifies PocketIE aboutURL file path.
Disables unsigned application prompt
Method of Infection
WinCE/InfoJack is disguised as a setup file within installation CAB files for other legitimate applications.
WinCE/InfoJack is also capable of propagating itself via an infected memory card.
Indications of Infection
Modifies PocketIE aboutURL file path.
Disables unsigned application prompt
Method of Infection
WinCE/InfoJack is disguised as a setup file within installation CAB files for other legitimate applications.
WinCE/InfoJack is also capable of propagating itself via an infected memory card.
Fuente: siliconnews.es/vnunet.es/McAfee
Knowledge Base
Comentarios