Trojan:SymbOS/Cardblock.A

Classification

Category :

Malware

Type :

Trojan

Platform :

SymbOS

Aliases :

Trojan:SymbOS/Cardblock.A

Summary

Trojan:SymbOS/Cardblock.A is a trojanized version of the Symbian application InstantSis created by Biscompute.

Removal

F-Secure Mobile Security is capable of detecting and deleting the Cardblock.A trojan. However Cardblock.A deletes itself upon the triggering of the payload, so actual disinfection of the device is not necessary.

Recovering MMC Contents

As long as the phone has not been rebooted after the Cardblock.A infection, the MMC contents are still accessible and can be copied to a PC. Use PC sync software to copy the card contents to a PC and from there to another card.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The trojan is distributed in a file named:

  • instantsis.v2.1.cracked.by.binzpda.sis

When installed, Cardblock.A appears be a cracked version of InstallSis providing the user with the ability to repack already installed SIS files and to copy them to another device.

However, when the user tries to use Cardblock.A to copy an application, a payload triggers that blocks the MMC memory card of the phone and deletes critical system and mail directories.

Blocking the memory card is done by setting a random password to the card. After the phone has been rebooted once, the card is no longer accessible on the phone or any other device, without entering the password. As the password is a random code that is not provided to the user, the card and its contents are unusable until unlocked.

Deleting system directories destroys information about installed applications, users MMS and SMS messages, phone numbers stored on the phone, and other critical system data.

Phones using Symbian OS 7.0 or older, such as the Nokia 6670 and 6600, can recover from deleted system directories at the next boot.

However, phones using Symbian OS 8.1a, such as the Nokia 6630, cannot recover the system directories, and thus fail to boot properly and display a message that instructs that the phone be taken into maintenance. Such phones can be recovered with a hard format operation described in the disinfection instructions.

If you have installed Cardblock.A and triggered the payload, do not reboot the phone before using sync software to make a backup of the card contents.

Payload

Blocks the MMC Card

Cardblock.A blocks the MMC card inserted into the phone by generating a random password and setting this password to the MMC card. If the device has the MMC card open when the payload triggers, the card is still accessible until it is removed from the device or the device reboots.

After rebooting, the card cannot be accessed without guessing the correct password, which is quite improbable.

Deleting System Directories

Cardblock.A deletes following directories from the device:

  • C:\system\bootdata
  • C:\system\data
  • C:\system\install
  • C:\system\libs
  • C:\system\mail

Deleting these directories destroys data on most system applications, such as the phone book , SMS and MMS messaging. Also, the installation information of all installed applications are destroyed, so that many of the third party applications become unusable and cannot be uninstalled anymore.