Threat Description

Trojan:​SymbOS/Cardblock.A

Details

Aliases: Trojan:​SymbOS/Cardblock.A
Category: Malware
Type: Trojan
Platform: SymbOS

Summary



A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.



Removal



F-Secure Mobile Anti-Virus is capable of detecting and deleting the Cardblock.A trojan. However Cardblock.A deletes itself upon the triggering of the payload, so actual disinfection of the device is not necessary.

Recovering MMC Contents

As long as the phone has not been rebooted after the Cardblock.A infection, the MMC contents are still accessible and can be copied to a PC. Use PC sync software to copy the card contents to a PC and from there to another card.

Prevention

Prevent future infections with F-Secure Mobile Anti-Virus



Technical Details



Trojan:SymbOS/Cardblock.A is a trojanized version of the Symbian application InstantSis created by Biscompute. The trojan is distributed in a file named:

  • instantsis.v2.1.cracked.by.binzpda.sis

When installed, Cardblock.A appears be a cracked version of InstallSis providing the user with the ability to repack already installed SIS files and to copy them to another device.

However, when the user tries to use Cardblock.A to copy an application, a payload triggers that blocks the MMC memory card of the phone and deletes critical system and mail directories.

Blocking the memory card is done by setting a random password to the card. After the phone has been rebooted once, the card is no longer accessible on the phone or any other device, without entering the password. As the password is a random code that is not provided to the user, the card and its contents are unusable until unlocked.

Deleting system directories destroys information about installed applications, users MMS and SMS messages, phone numbers stored on the phone, and other critical system data.

Phones using Symbian OS 7.0 or older, such as the Nokia 6670 and 6600, can recover from deleted system directories at the next boot.

However, phones using Symbian OS 8.1a, such as the Nokia 6630, cannot recover the system directories, and thus fail to boot properly and display a message that instructs that the phone be taken into maintenance. Such phones can be recovered with a hard format operation described in the disinfection instructions.

If you have installed Cardblock.A and triggered the payload, do not reboot the phone before using sync software to make a backup of the card contents.

Payload

Blocks the MMC Card

Cardblock.A blocks the MMC card inserted into the phone by generating a random password and setting this password to the MMC card. If the device has the MMC card open when the payload triggers, the card is still accessible until it is removed from the device or the device reboots.

After rebooting, the card cannot be accessed without guessing the correct password, which is quite improbable.

Deleting System Directories

Cardblock.A deletes following directories from the device:

  • C:\system\bootdata
  • C:\system\data
  • C:\system\install
  • C:\system\libs
  • C:\system\mail

Deleting these directories destroys data on most system applications, such as the phone book , SMS and MMS messaging. Also, the installation information of all installed applications are destroyed, so that many of the third party applications become unusable and cannot be uninstalled anymore.



Detection


F-Secure Mobile Anti-Virus for Symbian detects this malware starting from the update build number 51.




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Keep your mobile device protected

F-Secure Mobile Security will keep your mobile device protected on the go and enable you to find it in case you lose it

Learn More