Threat Description

Trojan:​SymbOS/Doomboot.A

Details

Aliases: SymbOS/Doomboot.A
Category: Malware
Type: Trojan
Platform: SymbOS

Summary



Also known as a trojan horse program, this is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.



Removal



Disinfection with F-Secure Anti-Virus

Automatic Disinfection

F-Secure Mobile Anti-Virus will detect both Doomboot.A and Commwarrior.B and disinfect the phone.

If your phone is infected with Comwarrior and you cannot install files over bluetooth, you can download F-Secure Mobile Anti-Virus directly to your phone.

1. Open web browser on the phone.

2. Go to http://phoneav.com

3. Select link "Download antivirus software for your smartphone" and then select phone model.

4. Download the file and select open after download.

5. Install F-Secure Mobile Anti-Virus.

6. Go to applications Menu and start Anti-Virus.

7. Activate Anti-Virus and scan all files.

Manual Disinfection

1. Go to application manager and uninstall the Doomboot.A SIS file the original name of the SIS file is

  • Doom_2_wad_cracked_by_DFT_S60_v1.0.sis

2. Go to http://phoneav.com

3. Download the F-Commwarrior disinfection tool.

4. Download the file and select open after download.

5. Install F-Commwarrior.

6. Go to applications menu and start F-Commwarrior

7. Use F-Commwarrior to disinfect your phone from the Commwarrior worm.

Disinfection for cases when phone is already rebooted and cannot start up

CAUTION! This method will remove all data on the device, including calendar and phone numbers.

1. Power off the phone.

2. Hold following three buttons down "answer call" + "*" + "3".

3. Keep holding the buttons and power on the phone.

4. Depending on the model, you either get text "formatting" or startup dialog that asks for initial phone settings.

5. Your phone is now formatted and can be used again.



Technical Details



Trojan:SymbOS/Doomboot.A drops corrupted system binaries and Worm:SymbOS/Commwarrior.B onto the infected device. The system files dropped by Doomboot.A cause the device to fail at the next reboot.

Doomboot.A is distributed in a malicious SIS file named 'Doom_2_wad_cracked_by_DFT_S60_v1.0.sis ', which is presented as being cracked versions of Doom 2 for Symbian.

If you have installed Doomboot.A, the most important thing is not to reboot the phone. If you have rebooted the phone and the phone will not start again, the phone can be recovered with hard format key code that is entered in the phone boot.

Execution

Doomboot.A installs corrupted system binaries into C:\ drive of the phone. No social engineering messages or extra icons in the phone application menu are display, and as Commwarrior.B hides its process from process list, the user has no way of noticing that phone is actually infected.

When the phone boots, this corrupted binaries will be loaded instead of the correct ones, and the phone will crash at boot.

The Commwarrior.B dropped by Doomboot will start automatically and start to spread. Bluetooth spreading of the Commwarrior.B causes battery drain and thus the phone will run quickly out of battery. In the case of Doomboot.A infection, this is problematic as the phone will not boot again after the power runs out.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Keep your mobile device protected

F-Secure Mobile Security will keep your mobile device protected on the go and enable you to find it in case you lose it

Learn More