This program is a conditionally malicious software granting super user privileges to the user on devices running Android operating system by exploiting a vulnerability in the security system (CVE-2009-1185).
This exploit program has to be placed in one of the directories to insure that it is launched:
Permissions are assigned to this file before it is launched.
- rwx r-x r-x
If the actual user ID identifier in the current process does not match the effective user ID in the current process, then the exploit attempts to assign "root" privileges to this process, and then deletes the following files:
/sqlite_stmt_journals/data /sqlite_stmt_journals/hotplug /sqlite_stmt_journals/loading /sqlite_stmt_journals/mount /sqlite_stmt_journals/fs_type /data/local/tmp/data /data/local/tmp/hotplug /data/local/tmp/loading /data/local/tmp/mount /data/local/tmp/fs_type /data/data/com.corner23.android.universalandroot/files/data /data/data/com.corner23.android.universalandroot/files/hotplug /data/data/com.corner23.android.universalandroot/files/loading /data/data/com.corner23.android.universalandroot/files/mount /data/data/com.corner23.android.universalandroot/files/fs_type
Then it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message::
Then it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message:
If the user ID has not been set for this file or if the effective user ID value equals "0" it will delete the content of this file:
It will then check for files:
/sqlite_stmt_journals/mount /data/local/tmp/mount /data/data/com.corner23.android.universalandroot/files/mount
If none of the files is found, it will display the following message:
It then opens "mount", "fs_type" files and reads data required for mounting. Then it re-mounts the directory:/system
It then creates the directory/system/bin/rootshell
It copies its working directory to this directory and sets permissions for files:-rws--x--x
It will input the following lines in the command line:[*] Android local root exploid (C) The Android Exploid Crew [*] Modified by shakalaca for various devices
Then one of the base directories is entered:/sqlite_stmt_journals /data/data/com.corner23.android.universalandroot/files /data/local/tmp
The following directory is set by default:/sqlite_stmt_journals
The following messages are then displayed in the command line:[+] Using basedir=
, path= [+] opening NETLINK_KOBJECT_UEVENT socket
It deletes the files from the base directory:%BaseDir%/data %BaseDir%/hotplug %BaseDir%/loading %BaseDir%/mount %BaseDir%/fs_type %BaseDir%/remount_as_ro.sh
It then creates these files and saves the information about the mounted device in these files as well as the information about the file system type for the following directory:/system
It creates a script that will reconnect the file system:%BaseDir%/remount_as_ro.sh
It then uses a vulnerability that exists during incorrect NETLINK messages processing, by enhancing "root" privileges for the current user (CVE-2009-1185). At the end it displays the following lines:[*] Try to invoke hotplug now, clicking at the wireless [*] settings, plugin USB key etc. [*] You succeeded if you find /system/bin/rootshell. [*] GUI might hang/restart meanwhile so be patient.
This exploit program may run on the following devices:Google Nexus One (2.2) Google G1 (1.6) HTC Hero (2.1) HTC Magic (1.5) HTC Tattoo (1.6) Dell Streak (2.1) Motorola Milestone (2.1) Motorola XT701 Motorola XT800 (2.1) Motorola ME511 Motorola Charm Motorola Droid (2.01/2.1/2.2 with FRG01B) Sony Ericsson X10 (1.6) Sony Ericsson X10 Mini (1.6) Sony Ericsson X10 Mini Pro (1.6) Acer Liquid (2.1) Acer beTouch E400 (2.1) Samsung Galaxy Beam Samsung galaxy 5 (gt-i5500) Vibo A688 (1.6) Lenovo Lephone (1.6) LG GT540 (1.6) Gigabyte GSmart G1305
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original program file (its location will depend on how the program originally penetrated the victim machine).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).