McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This malware advertises itself as a “cracked” version of ProfiMail v2.25.  At the time of this report the version of ProfiMail is at v2.24.  This malware acts as a dropper for two previously discovered malware: mabir.a and fontal.a.

Symptoms

The most prominent payload of this dropper is the Fontal.a portion as this will prevent the device from booting.  Mabir.a is a modified Cabir which has MMS support for propagation in addition to the original (Cabir) Bluetooth propagation.  The ROM application installer application is installed as well ( appinst.app and appinst.aif ) which will disable the application installer if the device is successfully rebooted.

If the user runs the ProfiMail application, the device will display an error screen and reboot.  The affect of Fontal.a will take place after this reboot.

Method of Infection

This malware advertises itself as a “cracked” version of ProfiMail v2.25, to trick the user into installing it.

This requires the user to install it.

Removal

-

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This malware advertises itself as a “cracked” version of ProfiMail v2.25.  At the time of this report the version of ProfiMail is at v2.24.  This malware acts as a dropper for two previously discovered malware: mabir.a and fontal.a.

Symptoms

Symptoms -

The most prominent payload of this dropper is the Fontal.a portion as this will prevent the device from booting.  Mabir.a is a modified Cabir which has MMS support for propagation in addition to the original (Cabir) Bluetooth propagation.  The ROM application installer application is installed as well ( appinst.app and appinst.aif ) which will disable the application installer if the device is successfully rebooted.

If the user runs the ProfiMail application, the device will display an error screen and reboot.  The affect of Fontal.a will take place after this reboot.

Method of Infection

Method of Infection -

This malware advertises itself as a “cracked” version of ProfiMail v2.25, to trick the user into installing it.

This requires the user to install it.

Removal -

Removal -

-

Variants

Variants -

N/A