F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Cardtrap.M

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Cardtrap.M
ALIAS:SymbOS/Cardtrap.M

Summary

Cardtrap.M is Symbian SIS file trojan that disables several Symbian built in applications, tries to damage several anti-virus applications, and installs several Windows viruses worms and trojans to memory card.

The Windows malware installed to memory card is installed with icons, batch files and short cut links, that try to fool user to execute a malicous file when he is trying to investigate the card contents.

The files that Cardtrap.M drops to the memory card, contains several references to F-Secure and some files are with F-Secure icons. But F-Secure has nothing to do with creation of Cardtrap or any other malware.

The creator of Cardtrap.M is trying to use reputation of F-Secure as way of fooling user to trust the file on memory card.

Disinfection

Disinfection with Anti-Virus

1. Download F-Secure Mobile Anti-Virus to your phone from http://www.f-secure.com/wireless/download/
2. Install the Anti-Virus to your phone over USB cable
3. Start and activate the Anti-Virus
4. Scan your phone to remove infected files
5. Use application manager to uninstall the file in which you installed Cardtrap.M. Default name is "Image Compressor"


Back to the Top


Detailed Description

Installation phone

Cardtrap.M installs several damaged files to phone memory to disable key System applications and anti-virus products.

Cardtrap.M disables following system applications:

Application manager
Browser
File manager
Media gallery
MMS and SMS messaging inbox

F-Secure Mobile Anti-Virus is capable of detecting Cardtrap.M with generic detection, so if phone has functional Anti-Virus installed the Cardtrap.M is blocked before it can be installed.

Installation to MMC card

Cardtrap.M installs several Windows viruses, worms and trojans to the phone MMC card. The Windows malwares, are installed with filenames,icons and shortcut links, that try to fool user into clicking them.

Cardtrap.M installs following Windows malwares to MMC card:

Virus.Win32.Kangen.a
Email-Worm.Win32.Brontok.c
VBS/Starer.A
VBS/Soraci.A
Trojan.Win32.VB.ve

Picture of MMC card contents when viewed with Windows explorer

The files that Cardtrap.M drops to the memory card, contains several references to F-Secure and some files are with F-Secure icons. But F-Secure has nothing to do with creation of Cardtrap or any other malware.

The MMC card also contains modified version of Opera start page HTML files that try to fool the user to install additional Symbian malware SIS files that are installed to the card.

If user has Opera installed in MMC card, he will see the modified version of Opera default content.

Cardtrap.M installs following Symbian malware SIS files

SymbOS/Doomboot.K
SymbOS/Cabir.AB
Symbian dropper for Win32/Istbar.IS


Back to the Top


Detection

Generic detection that detects Cardtrap.M was published for F-Secure Mobile Anti-Virus on March 7th, 2005 in database build number 28.


Back to the Top


Write-up: Jarno Niemela December 9th, 2005;

Technical details: Mika Tolvanen,Jarno Niemela;

F-Secure Corporation