Cardtrap.C is a minor variation of Cardtrap.A, the main differences are
that Cardtrap.C does not contain Windows worms. Instead the Cardtap.C
contains non-working Windows component of Lasco.A,
The Windows component of Lasco.A is copied on phone memory card and has autorun
file by which it hopes to start if inserted in PC, or gets executed by user.
If executed the Lasco.A component tries to infect all SIS files on PC with SymbOS/Lasco.A,
but fails as one of it's component files are missing.
We tried the autorun from MMC feature with Windows XP SP2 and Windows 2000, and could not get
it to work. But the autorun feature might work with some Windows installations.
Cardtrap.C also drops components from SymbOS/Doomboot.A, which prevent the phone from
booting. So if your phone is infected with Cardtrap.C it is important not to reboot the phone
before disinfecting it.
Disinfection
The Cardtrap.C disables Application manager to prevent it's uninstallation but
it does not prevent installation of Anti-Virus. F-Secure Mobile Anti-Virus can
detect and disinfect the files Cardtrap.C uses to disable the phone.
1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files. Anti-Virus then removes files that
block application manager and other critical functions
8. Go to application manager and uninstall the file in which the Cardtrap.C was
installed
When installed Cardtrap.C will replace the main executable of several
third party applications by overwriting their main executable file.
If any third party applications targeted by the trojan are installed
on the device, their main executable will be overwritten, and must be
reinstalled to repair the damage.
Payload
Disables most of the phone built in applications and drops
components from SymbOS/Doomboot.A
