WinCE/Infojack
- Trojan
- Worm
- 02/27/2008
- 75,776
- (02/28/2008)
- (02/28/2008)
- 5.1.00
- 02/27/2008
- 02/27/2008 5:38 PM (PT)
Risk Assessment
- Corporate User
- Home User
Tab Navigation
Characteristics
WinCE/InfoJack is distributed in a file named "小游戏1. cab".
Fig 1 - WinCE/InfoJack is installed with a collection of legitimate games
WinCE/InfoJack installs to the handset and any installed memory card. The following files will be installed:
- Windowsmservice.exe
- Windowssetup.cfg
- WindowsStartUpmservice.lnk
Fig 2 - WinCE/InfoJack installs silently along with other applications
Windowsmservice.exe run after installation. The shortcut in WindowsStartUp also causes it to run at every reboot.
Fig 3 - WinCE/InfoJack is set to run on startup
WinCE/InfoJack modifies a value under the registry key HKLM SecurityPoliciesPolicies to disable the unsigned application prompt. This allows it to install an update without the user being prompted for permission.
It copies itself to:
- WindowsAutorun存储卡2autorun.exe
- 存储卡2577autorun.exe
Fig 3 - WinCE/InfoJack installs as an autorun program on the memory card
When Windowsmservice.exe is deleted, it is recreated.
WinCE/InfoJack only affects
devices whose default language is Simplified Chinese. It will check the
default language on device. If the default language is not Simplified
Chinese, it will quit.
WinCE/InfoJack attempts to download an update file named mservice2.zip. As the update web server is no longer active, the update file could not be analyzed.
WinCE/InfoJack modifies the value of the registry key HKLMSoftwareMicrosoftInternet ExplorerAboutURLs to file://windowsmswindex.html.
WinCE/InfoJack steals user and operating system information and sends it to the update server. The information includes IMEI, Major version, Minor version, Build number, Screen width and height, Memory, UILanguage and LangID, Model and Platform. It also sets a timer to send the device information. The update server is no longer active so the information will not be received by the malware author(s)
WinCE/InfoJack creates several threads and registers notifications to monitor changes to the device, such as if a memory card is inserted.
WinCE/InfoJack appears to include SMS functionality. No SMS were sent during testing.
1Little Games
2Memory Card
Symptoms
- Modifies PocketIE aboutURL file path.
- Disables unsigned application prompt
Method of Infection
WinCE/InfoJack is disguised as a setup file within installation CAB files for other legitimate applications. WinCE/InfoJack is also capable of propagating itself via an infected memory card.
Removal
-
Variants
Variants
N/A
All Information
Overview -
WinCE/InfoJack is malware that steals information on the device and sends it to a web site. It also disables a security setting allowing unsigned applications to be installed without a warning.
Aliases:
WinCE/Infomeiti(Symantec)
Characteristics
Characteristics -
WinCE/InfoJack is distributed in a file named "小游戏1. cab".
Fig 1 - WinCE/InfoJack is installed with a collection of legitimate games
WinCE/InfoJack installs to the handset and any installed memory card. The following files will be installed:
- Windowsmservice.exe
- Windowssetup.cfg
- WindowsStartUpmservice.lnk
Fig 2 - WinCE/InfoJack installs silently along with other applications
Windowsmservice.exe run after installation. The shortcut in WindowsStartUp also causes it to run at every reboot.
Fig 3 - WinCE/InfoJack is set to run on startup
WinCE/InfoJack modifies a value under the registry key HKLM SecurityPoliciesPolicies to disable the unsigned application prompt. This allows it to install an update without the user being prompted for permission.
It copies itself to:
- WindowsAutorun存储卡2autorun.exe
- 存储卡2577autorun.exe
Fig 3 - WinCE/InfoJack installs as an autorun program on the memory card
When Windowsmservice.exe is deleted, it is recreated.
WinCE/InfoJack only affects
devices whose default language is Simplified Chinese. It will check the
default language on device. If the default language is not Simplified
Chinese, it will quit.
WinCE/InfoJack attempts to download an update file named mservice2.zip. As the update web server is no longer active, the update file could not be analyzed.
WinCE/InfoJack modifies the value of the registry key HKLMSoftwareMicrosoftInternet ExplorerAboutURLs to file://windowsmswindex.html.
WinCE/InfoJack steals user and operating system information and sends it to the update server. The information includes IMEI, Major version, Minor version, Build number, Screen width and height, Memory, UILanguage and LangID, Model and Platform. It also sets a timer to send the device information. The update server is no longer active so the information will not be received by the malware author(s)
WinCE/InfoJack creates several threads and registers notifications to monitor changes to the device, such as if a memory card is inserted.
WinCE/InfoJack appears to include SMS functionality. No SMS were sent during testing.
1Little Games
2Memory Card
Symptoms
Symptoms -
- Modifies PocketIE aboutURL file path.
- Disables unsigned application prompt
Method of Infection
Method of Infection -
WinCE/InfoJack is disguised as a setup file within installation CAB files for other legitimate applications. WinCE/InfoJack is also capable of propagating itself via an infected memory card.
Removal -
Removal -
-
Variants
Variants -
N/A