Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Spyware.Phonecreeper

Spyware.Phonecreeper

Updated:
October 20, 2010
Infection Length:
105,712 bytes
Name:
Phone Creeper
Version:
0.95
Publisher:
Chet Striker
Risk Impact:
Low

Behavior

Spyware.Phonecreeper is a spyware program for Windows Mobile that steals information from the compromised phone.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version October 15, 2010 revision 036
  • Latest Daily Certified version October 15, 2010 revision 036
  • Initial Weekly Certified release date October 20, 2010
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
This spyware program must be manually installed.

Once executed, the program copies itself as the following file:
%CurrentFolder%\MSTALK.exe

It then creates the following files:
  • %CurrentFolder%\autorun.exe
  • %CurrentFolder%\Lock.exe
  • %CurrentFolder%\MAPIdotnet.dll
  • %CurrentFolder%\MAPIlib.dll
  • %CurrentFolder%\Microsoft.WindowsMobile.dll
  • %CurrentFolder%\Microsoft.WindowsMobile.PocketOutlook.dll
  • %CurrentFolder%\Microsoft.WindowsMobile.Samples.Location.dll
  • %CurrentFolder%\Microsoft.WindowsMobile.Status.dll
  • %CurrentFolder%\Microsoft.WindowsMobile.Telephony.dll
  • %CurrentFolder%\OpenNETCF.Configuration.dll
  • %CurrentFolder%\OpenNETCF.dll
  • %CurrentFolder%\OpenNETCF.Net.dll
  • %CurrentFolder%\OpenNETCF.Net.Ftp.dll
  • %CurrentFolder%\OpenNETCF.Phone.dll
  • %CurrentFolder%\OpenNETCF.WindowsCE.dll
  • %CurrentFolder%\OpenNETCF.WindowsCE.Messaging.dll
  • %CurrentFolder%\fart.wav
  • %CurrentFolder%\silent.wma

Note: Some of the above files are legitimate application files.

The program may then perform the following functions:
  • Steal phone information
  • Steal contact list from Outlook
  • Steal appointment list from Outlook
  • Steal task list from Outlook
  • Steal SMS messages
  • Run new processes
  • Send SMS messages
  • Send GPS information
  • Send call history
  • Lock the screen
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Update the virus definitions.
  2. Run a full system scan and delete all the files detected as Trojan.Terred.

For specific details on each of these steps, read the following instructions.

1. To update the virus definitions
Running LiveUpdate to obtain the latest virus definitions for Symantec AntiVirus for Handhelds. For instructions on how to do this, read the document, "Updating virus definitions for Symantec AntiVirus for Handhelds Corporate Edition 3.2 ."

2. To scan for and delete the infected files
  1. Start Symantec AntiVirus for Handhelds and make sure that it is configured to scan the main storage and mounted file systems.
  2. Run a scan.
  3. If any files are detected as infected with Trojan.Terred, write down the file names.