SymbOS.Hati Hati.A SMS Virus
SymbOS.Hatihati.A is a Trojan horse that runs on the Symbian OS. The Trojan is a piratedversion of the anti-theft software Guardian v0.95 which contains a bad configuration file. This virus resides at Mobile Memory and tries to send SMS automatically to the predefined numbers like +3396003964. HatiHati.A is a worm-like application that spreads via MMC cards. Once the worm copies itself to a new device, it starts sending a very high volume of SMS messages to a predefined number. The predefined number is inherent with the Hatihati.A malware and will not be picked from the contact list.
Below mentioned are the destination numbers detected so far that affected mobile is trying to send SMS automatically (due to virus infection).
• 3355713230
• 3203848325
• 3474935252
• 3207012810
• 3932590983
• 3396003964
* MMS sending is not affected by this virus because MMS is sent via GPRS.
* There is no known application that can detect this virus in any brand of mobile set.
|
Name :
|
Worm:SymbOS/HatiHati.A
|
|
|
Alias:
|
HatiHati.A
|
|
|
Type:
|
Worm
|
|
|
Category:
|
Malware
|
|
|
Platform:
|
SymbOS
|
|
Common symptoms of Hatihati.A malware infection:
* A Hatihati.A malware icon in the applications folder of the phone when the phone is rebooted without the SIM card.
* Unrecognized texted numbers on your cellphone logs.
* Difficulty in sending SMS due to the continuous sending of the said malware.
* Abnormally fast depletion of battery charge/power.
Location of Hatihati.A malware icon in the mobile set:
You can perform a simple test to verify that you are infected with the Hatihati.A Malware:
Step 1: Turn-off your mobile phone and remove the attached SIM card.
Step 2: Turn-on your mobile phone without the SIM card.
Step 3: Go to your applications folder and you should see a Hatihati.A application icon
named “Guardian” (as seen below).
Note: Image above is sourced from an infected Nokia N70 phone.
If after you have performed step mentioned above and have not seen the icon as specified,please contact your nearest Wireless Center for assistance.
Ways of spreading virus:
The Hatihati.A malware spread by the following ways:
* By inserting with an infected MMC or Memory Card and vice-versa. Sharing of MMC or Memory
Card in phones can spread the Hatihati.A malware.
* By downloading free mobile applications via untrusted WAP sites.
Note that this malware does not spread via sharing or transfer of SIM from one mobile phone
to another, nor via Bluetooth or Infrared.
Mobile units that are prone to Hatihati.A malware:
So far, high-end mobile phones with Symbian Operating System (OS) are found to be prone to
infection from Hatihati.A malware. Different brands, units, and models can be infected
regardless of its mobile service provider. Common infected phones include:
. N70
. N73
. N80
. Nokia 6680
You can check if your phone is vulnerable to the malware from below link:
http://www.s60.com/life/s60phones/browseDevices.do
Removal processes of the Hatihati.A Malware:
These are the recommended ways to remove the Hatihati.A malware:
1. Download F-secure software antivirus for Nokia and Non Nokia handsets and delete the
“Guardian” Folder.
2. Soft or hard formatting.
i. Create backup the address book, calendar and settings using “Nokia PC Suite”
ii. Format the MMC card from the computer using card reader
3. Use Deep Reset using code (*#7370# or *#7780″)
Normal Reset (*#7780#) : Restores ini files from rom but preserves user data (photos, 3rd
party apps etc)
Deep Reset (*#7370#) : This reformats completely the C: drive. All applications and files stored in this drive will be lost and clean default files will be rewritten.
4. Use 12345 as lock code ( for Nokia handsets ) when asked and press OK
5. Now Mobile will be restarted and will beback to its previous settings
* For detailed information regarding soft and hard formatting, please refer to the last section ( Step by step information on how to remove Hati Hati virus).
Safety & Security Tips for Prevention of the Hatihati.A Malware:
Here are some recommended preventive measures:
1. Refrain from phone sharing or swapping. Do not let others use your phone without your discretion.
2. Refrain from memory card sharing or swapping. Do not let others use your memory card without your discretion.
3. Avoid downloading free mobile applications from suspicious WAP sites or from Internet.
4. Do not install a pirated version of the anti-theft software Guardian v 0.95
Website Links for more information about Hati Hati virus:
- SYMANTEC:http://www.symantec.com/security_response/writeup.jsp?docid=2008-020609-5717-99McAfee :http://vil.nai.com/vil/content/v_144004.htm
http://www.f-secure.com/v-descs/worm_symbos_hatihati_a.shtml - FAQ on using F-Secure Anti-Virus solution for S60 OS mobiledeviceshttp://mobile. f-secure.com/FAQ/faqs60.html.
- This site contains a description about the software named”Guardian”:http://www.symbian-toys.com/guardian.aspx#download
- This site contains FICORA (Finnish Communications Regulatory Authority)Information Security Guidelines for Mobile PhoneUsershttp://www.ficora.fi/mobiiliturva/english/index.html.
- These sites includes the answers of the queries like “What is a HatiHati.AMalware? How to know if you are infected with a HatiHati.AMalware?”http://smart.com.ph/corporate/support/Hatihati-Removal/
http://smart.com.ph/Corporate/Support/Hatihati-Removal/hatihati_detection.htm
http://www.sudeep.net.np/finally-3396003964-hati-hati-sms-virus-removed
http://www.fortiguardcenter.com/VirusEncyclopedia - Other links which might beuseful:/search/encyclopediaSearch.do?method=quickSearchDirectly&virusName=SymbOS/HatiHati.A!worm http://www.antivirusprogram.se/virusinfo/Worm+SymbOS/HatiHati.A_16787.html
http://answers.yahoo.com/question/index?qid=20080318220419AAjBjqG
http://www.f-secure.com/weblog/archives/00001328.html
Step by step information on removing Hati Hati virus:
Requirement: You must have a Nokia PC Suite installed in your PC. Please go to
http://www.nokia.com.ph/pcsuite for an update.
Disclaimer: There have been unconfirmed reports that backing-up of files
has a small risk for remission of the Hatihati.A malware. Back-up your files at your own
risk. The best option is still to download an antivirus application for your phone such as
F-Secure.
Removing Hatihati.A Malware by Soft Formatting :
A soft format procedure cleans the phone memory only and SMS, contacts and others could
still be intact. A phone lock code may be required. The default phone lock code for Nokia is
12345.
Note: Battery should be full up to 75 %.
Step 1: Remove the memory card (MMC).
Step 2: Turn on phone and dial *#7370# for soft format.
Step 3: Clean the memory card. You will need a PC connection and USB card
reader/ writer.
1. Insert MMC in the USB Card Reader/ Writer.
2. Go to systems folder, then go to apps folder.
3. Look for the Hatihati.A folder named “Guardian” and delete it.
Disclaimer: The procedures detailed in this document were compiled without
consideration of any long-term side effects relative to their implementation.
Removing Hatihati.A Malware by Hard Formatting :
A hard format procedure resets the phone to the factory default setting. A phone lock code
may be required. The default phone lock code is 12345.
Note: Battery should be full up to 75 %.
Step 1: Turn-off the phone.
Step 2: Reboot phone while pressing the Call key, * key, 3 key.
Step 3: Clean the memory card. You will need a PC connection and USB card
reader/ writer.
1. Insert MMC in the USB Card Reader/ Writer.
2. Go to systems folder, then go to apps folder.
3. Look for the Hatihati.A folder named “Guardian” and delete it.
Disclaimer: The procedures detailed
ungaz….hnd gale amo
ungaz….hnd gale amo