The premier place for symbian users, supported with the No. one smarth phone discussion forum

SymbOS/Cardblock.A is a Symbian trojan that is the first known trojan to attack phones MMC card. SymbOS/Cardtrap.A used phones MMC card in trying to get users PC infected with Win32 malware, but Cardblock.A is the first one that actually attacks the MMC card itself.

SymbOS/Cardblock.A is a trojanized version of Symbian application InstantSis created by Biscompute.

When installed Cardblock.A appears be a cracked version of InstallSis providing user with ability to repack already installed SIS files and copy them to another device.

However when user tries to use Cardblock.A to copy an application, a payload triggers that blocks the MMC memory card of the phone and deletes critical system and mail directories.

Blocking the memory card is done by setting a random password to the card. So that after the phone has been once rebooted, the card is no longer accessible on the phone or any other device, without entering a password. And as the password is a random code, that is not provided to user, the card and it's contents are unusable until unlocked.

Deleting system directories destroys information about installed applications, users MMS and SMS messages, phone numbers stored on the phone and other critical system data. Which means that user loses access to applications he has installed into the phone, and his phone numbers and other important data.

Some phone such as Nokia 6670 and Nokia 6600 survive from deletion of system directories quite easily, just a reboot and phone is usable. But the user data and MMC card are still lost.

Unfortunately some phones that use newer versions of Symbian OS, such as Nokia 6630 are hit harder. These phones will fail to reboot and display message that requests the phone to be taken to maintenance. However the phone can be recovered with special hard format key combination.

The picture in this blog entry is from one such phone. The message is in Finnish which translated in English means, "Connection to phone failed, please contact supplier of the phone". The interesting bit is that we had the phone set in English when infecting it, but the Cardblock.A damages the OS so badly, that after reboot it even doesn't remember which language it should use.

Database update for F-Secure Mobile Anti-Virus has been published and it is capable of detecting and removing Cardblock.A. We are still working on how to get locked MMC cards functional again.

Needless to say that the Cardblock.A is not a threat to people who don't use pirate copied software, as it pretends to be a pirate copied version of commercial application.

Cardtrap in action

Virus info

NAME:
Cardtrap.A

ALIAS:
SymbOS/Cardtrap.A,
SymbOS/ MultiDropper.G,
SYMBOS_BLAKSYM.A

Summary

Cardtrap.A is a malicious SIS file trojan, which tries to disable large number of system and third party applications and installs Windows malware on the phone memory card.
The Cardtrap.A installs Windows worms Win32/Padobot.Z and Win32/Rays to the phone memory card.

The Padobot.Z is copied along with autorun file that points to the Padobot.Z executable, so that if the card is inserted into PC using Windows the autorun tries to execute Padobot.Z.

We tried this feature with Windows XP SP2 and Windows 2000, and could not get autorun to work. But the autorun feature might work with some Windows installations.

The Win32/Rays is copied with name System.exe and has the same icon as System folder in the memory card. So that if user is trying to read the contens of card with PC he might accidentally execute the Win32/Rays.

Disinfection

.: Symbian viruses :.

+ Skulls

+ Mabir

+ Locknut

+ Lasco

+ Cabir

+ CommWarrior.C

.:Related stories:.

+ Mobile safety at your fingertips!!

+ Number of known Symbian trojans double in one day!!

+ Three new Symbian trojans in one day!!

The Cardtrap.A disables Application manager to prevent it's uninstallation but it does not prevent installation of Anti-Virus. F-Secure Mobile Anti-Virus can detect and disinfect the files Cardtrap.A uses to disable the phone.

1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files. Anti-Virus then removes files that block application manager and other critical functions
8. Go to application manager and uninstall the file in which the Cardtrap.A was installed

Detailed Description

Spreading: in Black_Symbian v0.10.sis

Installation to system: When installed Cardtrap.A will replace the main executable of several third party applications by overwriting their main executable file.

If any third party applications targeted by the trojan are installed on the device, their main executable will be overwritten, and must be reinstalled to repair the damage.

Payload: Disables most of the phone built in applications and installs Windows worms Win32/Padobot.Z and Win32/Rays on the device memory card.

Detection

Generic detection that detects Cardtrap.A was published for F-Secure Mobile Anti-Virus on December 13th, 2004 in database build number 15.

Exact detection and disinfection was published for F-Secure Mobile Anti-Virus on September 20th, 2005 in database build number 50.

F-Secure Corporation

Source: F-secure

Author: Calvin ft. Apocalypso

-=[ Click Here To Have Your Say On This Story ]=-

Back to news..