Internet Security Source provides daily updates on Internet Threats, Viruses, Worms, Trojans, Spyware and Adware. Subscribe to our newsletter and receive daily updates on threats on the internet.
Spyware.MobileSpy
Friday, June 27 2008
Symantec Security Response
http://www.symantec.com/business/security_response/index.jspSpyware.MobileSpy
Updated: May 2, 2007 8:00:08 PM
Type: Spyware
Name: Mobile Spy
Publisher: Retina-X Studios
Risk Impact: Medium
SUMMARY
Behavior
Spyware.MobileSpy is a spyware program that records SMS message and phone information and sends this information to a predetermined remote location.This security risk must be manually installed.
Protection
- Initial Rapid Release version May 3, 2007
- Latest Rapid Release version May 9, 2007
- Initial Daily Certified version May 3, 2007
- Latest Daily Certified version May 9, 2007
- Initial Weekly Certified release date May 9, 2007
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
TECHNICAL DETAILS
Once installed on the mobile device, the security risk adds the following folders:- \Windows\AppMgr\Retina-X Studios Smartphone
- \Program Files\Smartphone
Next, it creates the following files:
- \Windows\AppMgr\Retina-X Studios Smartphone\4001.tmp
- \Program Files\Smartphone\OpenNETCF.Net.dll
- \Program Files\Smartphone\OpenNETCF.dll
- \Program Files\Smartphone\Smartphone.exe
- \Program Files\Smartphone\hsmsutil.dll
- \Program Files\Smartphone\smarphone.log
- Smartphone.exe
- MobileSpy.CAB
The program then creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Apps\Retina-X Studios Smartphone\"Instl" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Apps\Retina-X Studios Smartphone\"InstallDir" = "\Program Files\Smartphone"
HKEY_LOCAL_MACHINE\SOFTWARE\Apps\Retina-X Studios Smartphone\"InstlDir" = "\Program Files\Smartphone"
HKEY_LOCAL_MACHINE\SECURITY\AppInstall\Retina-X Studios Smartphone\ExecutableFiles\"\Program Files\Smartphone\Smartphone.exe" = ""
HKEY_LOCAL_MACHINE\SECURITY\AppInstall\Retina-X Studios Smartphone\ExecutableFiles\"InstallDir" = "\Program Files\Smartphone"
HKEY_LOCAL_MACHINE\SECURITY\AppInstall\Retina-X Studios Smartphone\ExecutableFiles\"Role" = "003e700"
HKEY_LOCAL_MACHINE\SECURITY\AppInstall\Retina-X Studios Smartphone\ExecutableFiles\"Uninstall" = "\Windows\AppMgr\Retina-X Studios Smartphone\4001.tmp"
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"Autologin" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"Password" = [PASSWORD FOR ACCOUNT]
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"Username" = [USERNAME FOR ACCOUNT]
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"RememberUser" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios\"ReportTime" = "1"
The mobile device may then be configured to record the following SMS messaging information:
- Sender's Number
- Recipient's Number
- Date & Time
- Message Contents
- Number Dialed
- Number of Caller
- Date & Time
- Call Direction
The program establishes a HTTP connection every 30 minutes, and sends the gathered data to the following locations:
- [http://]www.mobile-spy.com/webapi/sms[REMOVED]
- [http://]www.mobile-spy.com/webapi/logi[REMOVED]
- [http://]www.mobile-spy.com/webapi/callsl[REMOVED]
REMOVAL
Install a file manager program on the device.- Enable the option to view the files in the system folder.
- Delete the following malicious files:
Smartphone.exe
MobileSpy.CAB - Navigate to and delete the following folders:
\Windows\AppMgr\Retina-X Studios Smartphone
\Program Files\Smartphone - Navigate to and delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Apps\Retina-X Studios Smartphone
HKEY_LOCAL_MACHINE\Security\AppInstall\Retina-X Studios Smartphone\ExecutableFiles
HKEY_LOCAL_MACHINE\SOFTWARE\RetinaxStudios - Exit the file manager.
Spyware.MomKnowsBest
Spyware.EmailSpyMon
Spyware.SpyMan
Spyware.KeySpyware
Spyware.AcePasswdSnif