F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Cardtrap.A

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Cardtrap.A
ALIAS:SymbOS/Cardtrap.A,SymbOS/MultiDropper.G,SYMBOS_BLAKSYM.A

Summary

Cardtrap.A is a malicious SIS file trojan, which tries to disable large number of system and third party applications and installs Windows malware on the phone memory card.

The Cardtrap.A installs Windows worms Win32/Padobot.Z and Win32/Rays to the phone memory card.

The Padobot.Z is copied along with autorun file that points to the Padobot.Z executable, so that if the card is inserted into PC using Windows the autorun tries to execute Padobot.Z.

We tried this feature with Windows XP SP2 and Windows 2000, and could not get autorun to work. But the autorun feature might work with some Windows installations.

The Win32/Rays is copied with name System.exe and has the same icon as System folder in the memory card. So that if user is trying to read the contens of card with PC he might accidentally execute the Win32/Rays.

Disinfection

The Cardtrap.A disables Application manager to prevent it's uninstallation but it does not prevent installation of Anti-Virus. F-Secure Mobile Anti-Virus can detect and disinfect the files Cardtrap.A uses to disable the phone.

1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files. Anti-Virus then removes files that block application manager and other critical functions
8. Go to application manager and uninstall the file in which the Cardtrap.A was installed


Back to the Top


Detailed Description

Spreading in Black_Symbian v0.10.sis

Installation to system

When installed Cardtrap.A will replace the main executable of several third party applications by overwriting their main executable file.

If any third party applications targeted by the trojan are installed on the device, their main executable will be overwritten, and must be reinstalled to repair the damage.

Payload

Disables most of the phone built in applications and installs Windows worms Win32/Padobot.Z and Win32/Rays on the device memory card.


Back to the Top


Detection

Generic detection that detects Cardtrap.A was published for F-Secure Mobile Anti-Virus on December 13th, 2004 in database build number 15.

Exact detection and disinfection was published for F-Secure Mobile Anti-Virus on September 20th, 2005 in database build number 50.


Back to the Top


Write-up: Jarno Niemela September 20th, 2005;

F-Secure Corporation