thepouchnav aboutnav
toppocketnav insidepocketnav
 

My contacts over at McAfee's virus lab have supplied me with the following information which makes for some interesting reading.

They are now aware of at least six malware programs for the Epoc platform. Malware is software that has been specifically designed to cause problems on the machine that it is run on. These are not viruses; viruses can spread and replicate by themselves whereas these programs have to be placed/installed onto a machine manually or, in some cases, beamed to a machine via infrared.

They are however notable as the first of this type of program that the various McAfee anti-virus products detect. Note: you will need at least the 4090 dat files and the 4070 engine in your McAfee products to detect these programs. Below, you'll find some details about each of them:

EPOC/Ghost.a

EPOC/Alarm.a

EPOC/Fake

EPOC/Alone

EPOC/BadInfo

EPOC/Lights

 

EPOC/Ghost.a

Variants EPOC/Ghost.b  

Discovery Date: 8/3/00

Origin: Website

Type: Joke

Virus Characteristics
This is a program which is designed to run on EPOC OS for hand held devices such as SIBO as a hidden process. The .b variant runs on EPOC32 systems such as Psion. This binary runs as a process in the background and offers random insults to the user displayed on the screen.

Symptoms
Occasionally and by random, an insulting message will display.

Method Of Infection
This joke program was designed as a "revenge" program. If it is installed on a system, the file will be located in the C:\System\Apps\ folder by default as SYS$INS.OPO.

Removal requires closing all applications and isolating the running process, then terminate it and delete the file.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection

to top...

 

EPOC/Alarm.a

Variants EPOC/Alarm.b

Discovery Date: 8/3/00

Origin: Website

Type: Trojan

Virus Characteristics
This is an trojan program written for EPOC OS hand held devices such as SIBO or Siena. This file runs as a process in the background and sounds a loud alarm each time the PDA device is turned on.

The trojan exists as the file "SYS$TIM.OPO" in the C:\SYSTEM\APPS folder.

If the program is not found and removed, it could drain the system battery on the affected device.

Symptoms
 When turning on the hand held device, a loud "bong" noise is emitted from the system.

Method Of Infection
This trojan was created as a "revenge" program and could be placed on a hand held device either by Infrared (IR) transfer, or manually by someone who desires to install it without your knowledge.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection

to top...

 

EPOC/Fake

Discovery Date: 8/3/00

Origin: Website

Type: Trojan

Virus Characteristics
This is a trojan program designed for EPOC32 OS for hand held devices such as Psion.

This program simulates a format of the system device however does not perform such an action.

When this trojan is run, it suggests to the user that drive C: is corrupt and presents a YES NO dialogue box. Choosing either YES or NO results in another display of the drive format simulation. During this process, it is not possible to switch to other applications. The process will re-launch itself every few minutes.

Symptoms
If installed on a system, it will exist in the C:\SYSTEM\APPS folder as "fakeformat.opo".

Method Of Infection
This trojan is placed on the system either by installing from a .SIS installation file, or by IR transfer. It is also possible that someone has intentionally installed this trojan on a hand held device through covert methods.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection

to top...

 

EPOC/Alone

Discovery Date: 8/3/00

Origin: Website

Type: Trojan

Virus Characteristics
This is a trojan written for EPOC32 OS hand held devices such as Psion. When this trojan is run, it simulates an IR receive process and then briefly pops up a message box with the detail: "Warning--Virus" on the screen. This trojan then runs as a process and intercepts input to the keyboard to applications until the user types in the special code sequence "leave me alone".

Symptoms
Existence of the file "VIRUS.OPO" in the C:\SYSTEM\APPS folder on hand held devices. After this trojan is executed and the message mentioned above is displayed, a small black square begins "bouncing" around on the screen and applications lose the ability to receive keyboard input.

Method Of Infection
This trojan is installed either by an installable .SIS package or by someone who intentionally installed it to your device.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection

to top...

 

EPOC/BadInfo

Discovery Date: 8/3/00

Type: Joke

SubType: Settings Change

Virus Characteristics
This is an EPOC32 OS trojan with intention to change the configures user information stored in the file SYSTEM.INI on hand held devices such as Psion.

This trojan exists as the file "userinfo.opo" in the C:\SYSTEM\APPS\USERINFO folder. This trojan backs up the original SYSTEM.INI file as SYSTEM.BAK and also creates a second program with which to return the original file back. The "repair" program is called "antidote.opo" also in the USERINFO folder.

The original user information is changed to the following:

"Some fool owns this"

Symptoms
Checking the user information for the hand held device displays the "Some fool owns this". Existence of the file ANTIDOTE.OPO in the C:\SYSTEM\APPS\USERINFO folder.

Method Of Infection
This trojan is either run by an installation .SIS package or installed intentionally on your system by someone.

Removal Instructions
See "Related Downloads" and/or other sections associated with this description for more details

to top...

 

EPOC/Lights

Discovery Date: 8/3/00

Type: Joke

SubType: Process

Virus Characteristics
This is a trojan written for EPOC32 OS hand held devices such as Psion.

If this trojan is executed on an applicable system, it will attempt to randomly turn on and off the backlight. If this process runs in a continuous fashion, it could drain the device battery.

Symptoms
The backlight turns on and off randomly. The file "LIGHTS.OPO" exists in the C:\SYSTEM\APPS folder.

Method Of Infection
This trojan can be installed by a .SIS package or intentionally by someone who may have borrowed your device.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection

to top...

 

Rod Cambridge

rod@toppocket.com

 

[TopPocket[Inside Pocket ]  [The Pouch]  [About]

Copyright (c) 2000, TopPocket.com. All rights reserved