New Worm for Symbian serie 60: Lasco.A

Summary

Lasco.A is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

The Lasco.A is based on the same source as Cabir.H and is very similar to it. The main difference between Cabir.H and Lasco.A is that in addition of spreading with bluetooth, Lasco.A will insert itself to any SIS files it finds in the device.

Lasco.A replicates over bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm. When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over bluetooth.

When Lasco worm finds another bluetooth device it will start sending infected SIS files to it, as long as the target phone is in range. Like Cabir.H,Lasco.A is capable of finding a new target, after the first one has gone out of range.

Please note that Lasco worm can reach only mobile phones that support bluetooth, and are in discoverable mode.



Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings


Disinfection

F-Secure Mobile Anti-Virus will detect the Lasco.A and delete the worm components. After deleting worm files you can delete this directory: c:\system\symbiansecuredata\velasco\

If your phone is infected with Lasco.A and you cannot install files over bluetooth, you can download F-Secure Mobile Anti-Virus directly to your phone

1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files


Detailed Description

Replication

Lasco.A replicates over bluetooth in velasco.sis file that contains the worm main executable velasco.app, system recognizer marcos.mdl and resource file velasco.rsc. The SIS file contains autostart settings that will automatically execute velasco.app after the SIS file is being installed.

The velasco.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.

When the Lasco.A worm is activated it will start looking for other bluetooth devices, and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range the Lasco.A will continue searching and infecting other phones.

This modification in the replication mechanism, will make it more likely that Lasco.A will spread quickly once in the wild.

Infection

When the velasco.sis file is installed the installer will copy the worm executables into following locations:
c:\system\apps\velasco\velasco.rsc
c:\system\apps\velasco\velasco.app
c:\system\apps\velasco\flo.mdl

When the velasco.app is executed it copies the following files:
flo.mdl to c:\system\recogs
velasco.app to c:\system\symbiansecuredata\velasco\
caribe.rsc to c:\system\symbiansecuredata\velasco\

This is most likely done in case user installs the application to memory card, or to avoid user trying to disinfect the worm by uninstalling the original SIS file.

Then the worm will recreate the velasco.sis file from worm component files and data blocks that are in velasco.app.

After recreating the SIS file the Lasco.A will search for all SIS files in the device, add itself into those files and modify the SIS file header so that the Lasco.A embedded into target SIS files will activate automatically upon install of that SIS file into the device.

Source F-Secure