January 13, 2011

WinCE.PmCryptic.A on Windows Smart Phone

A polymorphic Virus that changes its forms with different actions has been found recently. It is a file infector Virus that could spread by storage cards by generating new polymorphic copies of itself each time, and can cause a severe nuisance on a compromised phone including unwanted phone calls to toll numbers.



It has many Payloads. It will do many things:
It starts with an error message that has a blank page with an 'X' mark. 
After sometime it will automatically call to some number and after sometime it will call to 1860 which is a toll number that differs between telephony providers, but is often directory services. The compromised phone will dial this number approximately every 11 hours.

It changes the phone display automatically and sets a black theme which will be seen like this.


Users cannot see what they are clicking on. It also copies itself in a polymorphic fashion to flash storage cards and the Windows directory with each having a different size, MD5, and randomly created date time stamp. The worm will create folders that will be hidden. When we connect the device to a PC and unhide the files, they will be like folders, so users will be tricked as they think that it is another system folder. It will have the same name as itself.

Removal:
It creates entries in Program files that are hide, un-hide them and delete them
%appdata%\microsoft\internet explorer\quick launch\Worm.WinCE.PMCryptic.a.lnk
%desktop%\Worm.WinCE.PMCryptic.a support.lnk
%desktop%\Worm.WinCE.PMCryptic.a.lnk
%commonprograms%\Worm.WinCE.PMCryptic.a\about.lnk
%commonprograms%\Worm.WinCE.PMCryptic.a\activate.lnk
%commonprograms%\Worm.WinCE.PMCryptic.a\buy.lnk
%commonprograms%\Worm.WinCE.PMCryptic.a\Worm.WinCE.PMCryptic.a support.lnk
%commonprograms%\Worm.WinCE.PMCryptic.a\Worm.WinCE.PMCryptic.a.lnk
%commonprograms%\Worm.WinCE.PMCryptic.a\scan.lnk
%commonprograms%\Worm.WinCE.PMCryptic.a\settings.lnk
%commonprograms%\Worm.WinCE.PMCryptic.a\update.lnk
%programfiles\Worm.WinCE.PMCryptic.a\about.ico
%programfiles\Worm.WinCE.PMCryptic.a\activate.ico
%programfiles\Worm.WinCE.PMCryptic.a\buy.ico
%programfiles\Worm.WinCE.PMCryptic.a\def.db
%programfiles\Worm.WinCE.PMCryptic.a\defext.dll
%programfiles\Worm.WinCE.PMCryptic.a\defhook.dll
%programfiles\Worm.WinCE.PMCryptic.a\defcnt.exe
%programfiles\Worm.WinCE.PMCryptic.a\help.ico
%programfiles\Worm.WinCE.PMCryptic.a\scan.ico
%programfiles\Worm.WinCE.PMCryptic.a\settings.ico
%programfiles\Worm.WinCE.PMCryptic.a\splash.mp3
%programfiles\Worm.WinCE.PMCryptic.a\uninstall.exe
%programfiles\Worm.WinCE.PMCryptic.a\update.ico
%programfiles\Worm.WinCE.PMCryptic.a\virus.mp3

And  delete the registry entries

  • hklm\SOFTWARE\Worm.WinCE.PMCryptic.a
  • hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Worm.WinCE.PMCryptic.a
  • hkcu\Software\Microsoft\Windows\CurrentVersion\Run “Worm.WinCE.PMCryptic.a”
  • hkcr\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} 
As soon as you do these steps scan the device with an anti-virus program. To prevent this be Cautious while you are running an application on your device and Scan the storage cards or memory cards before opening them.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More