Chinaunix首页 | 论坛 | 博客
  • 博客访问: 152800
  • 博文数量: 100
  • 博客积分: 3132
  • 博客等级: 中校
  • 技术积分: 1075
  • 用 户 组: 普通用户
  • 注册时间: 2010-08-17 23:38
文章分类

全部博文(100)

文章存档

2012年(63)

2011年(14)

2010年(23)

分类: LINUX

2010-12-10 17:42:10

WinCE/Infojack

Trojan
Worm
02/27/2008
75,776
(02/28/2008)
(02/28/2008)
5.1.00
02/27/2008
02/27/2008 5:38 PM (PT)
Risk Assessment
Corporate User
Home User

Tab Navigation

Characteristics

WinCE/InfoJack is distributed in a file named "小游戏1. cab".

WinCE is installed with a collection of legitimate games
Fig 1 - WinCE/InfoJack is installed with a collection of legitimate games

WinCE/InfoJack installs to the handset and any installed memory card.  The following files will be installed:

  • Windowsmservice.exe
  • Windowssetup.cfg
  • WindowsStartUpmservice.lnk

WinCE/InfoJack installs silently along with other applications
Fig 2 - WinCE/InfoJack installs silently along with other applications

Windowsmservice.exe run after installation. The shortcut in WindowsStartUp also causes it to run at every reboot.

WinCE/InfoJack is set to run on startu
Fig 3 - WinCE/InfoJack is set to run on startup

WinCE/InfoJack modifies a value under the registry key HKLM SecurityPoliciesPolicies to disable the unsigned application prompt.  This allows it to install an update without the user being prompted for permission.

It copies itself to:

  • WindowsAutorun存储卡2autorun.exe
  • 存储卡2577autorun.exe

WinCE/InfoJack installs as an autorun ptogram on the memory card WinCE/InfoJack installs as an autorun ptogram on the memory card
Fig 3 - WinCE/InfoJack installs as an autorun program on the memory card

When Windowsmservice.exe is deleted, it is recreated.

WinCE/InfoJack only affects devices whose default language is Simplified Chinese. It will check the default language on device. If the default language is not Simplified Chinese, it will quit.
 
WinCE/InfoJack attempts to download an update file named mservice2.zip. As the update web server is no longer active, the update file could not be analyzed. 

WinCE/InfoJack modifies the value of the registry key HKLMSoftwareMicrosoftInternet ExplorerAboutURLs to file://windowsmswindex.html.

WinCE/InfoJack steals user and operating system information and sends it to the update server. The information includes IMEI, Major version, Minor version, Build number, Screen width and height, Memory, UILanguage and LangID, Model and Platform.  It also sets a timer to send the device information.  The update server is no longer active so the information will not be received by the malware author(s)

WinCE/InfoJack creates several threads and registers notifications to monitor changes to the device, such as if a memory card is inserted.

WinCE/InfoJack appears to include SMS functionality. No SMS were sent during testing.

1Little Games
2Memory Card

Symptoms

  • Modifies PocketIE aboutURL file path.
  • Disables unsigned application prompt

Method of Infection

WinCE/InfoJack is disguised as a setup file within installation CAB files for other legitimate applications.

WinCE/InfoJack is also capable of propagating itself via an infected memory card.

Removal

-

Variants

Variants

    N/A

All Information

Overview -

WinCE/InfoJack is malware that steals information on the device and sends it to a web site.  It also disables a security setting allowing unsigned applications to be installed without a warning.

Aliases:
WinCE/Infomeiti(Symantec)

Characteristics

Characteristics -

WinCE/InfoJack is distributed in a file named "小游戏1. cab".

WinCE is installed with a collection of legitimate games
Fig 1 - WinCE/InfoJack is installed with a collection of legitimate games

WinCE/InfoJack installs to the handset and any installed memory card.  The following files will be installed:

  • Windowsmservice.exe
  • Windowssetup.cfg
  • WindowsStartUpmservice.lnk

WinCE/InfoJack installs silently along with other applications
Fig 2 - WinCE/InfoJack installs silently along with other applications

Windowsmservice.exe run after installation. The shortcut in WindowsStartUp also causes it to run at every reboot.

WinCE/InfoJack is set to run on startu
Fig 3 - WinCE/InfoJack is set to run on startup

WinCE/InfoJack modifies a value under the registry key HKLM SecurityPoliciesPolicies to disable the unsigned application prompt.  This allows it to install an update without the user being prompted for permission.

It copies itself to:

  • WindowsAutorun存储卡2autorun.exe
  • 存储卡2577autorun.exe

WinCE/InfoJack installs as an autorun ptogram on the memory card WinCE/InfoJack installs as an autorun ptogram on the memory card
Fig 3 - WinCE/InfoJack installs as an autorun program on the memory card

When Windowsmservice.exe is deleted, it is recreated.

WinCE/InfoJack only affects devices whose default language is Simplified Chinese. It will check the default language on device. If the default language is not Simplified Chinese, it will quit.
 
WinCE/InfoJack attempts to download an update file named mservice2.zip. As the update web server is no longer active, the update file could not be analyzed. 

WinCE/InfoJack modifies the value of the registry key HKLMSoftwareMicrosoftInternet ExplorerAboutURLs to file://windowsmswindex.html.

WinCE/InfoJack steals user and operating system information and sends it to the update server. The information includes IMEI, Major version, Minor version, Build number, Screen width and height, Memory, UILanguage and LangID, Model and Platform.  It also sets a timer to send the device information.  The update server is no longer active so the information will not be received by the malware author(s)

WinCE/InfoJack creates several threads and registers notifications to monitor changes to the device, such as if a memory card is inserted.

WinCE/InfoJack appears to include SMS functionality. No SMS were sent during testing.

1Little Games
2Memory Card

Symptoms

Symptoms -

  • Modifies PocketIE aboutURL file path.
  • Disables unsigned application prompt

Method of Infection

Method of Infection -

WinCE/InfoJack is disguised as a setup file within installation CAB files for other legitimate applications.

WinCE/InfoJack is also capable of propagating itself via an infected memory card.

Removal -

Removal -

-

Variants

Variants -

    N/A

阅读(1269) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~