Doomboot.I is a variant of Doomboot.H that contains a pirate copy of
ExoVirusStop application and claims to be installation package
for ExoVirusStop.
However in addition to pirate copied anti virus the Doomboot.I also contains corrupted
system files from Doomboot.A, Application files from Cardtrap.A and resource files from
Locknut.A
The version of ExoVirusStop included in with the Doomboot.I does not detect
the Doomboot files. So if user scans his device with that version he will not get any
warning about Doomboot.
However as the phone is infected with Doomboot files, the phone will not start up
again if user tries to reboot the phone or the phone crashes.
If you have installed Doomboot.I, the most important thing is not to
reboot the phone and follow the disinfection instruction in this
description.
If you have rebooted the phone and the phone will not start again, the phone
can be recovered with hard format key code that is entered in the phone boot.
Disinfection
Disinfection
The Doomboot.I disables application manager to prevent it's uninstallation and application
installer to prevent installation of Anti-Virus. So the only working disinfection method
works only in phones in which the MMC card can be installed without powering off the phone.
For this disinfection method you need help of someone with clean Series 60 phone
1. Install F-Skulls.sis into clean memory card with a clean phone
2. Put the memory card with F-Skulls into infected phone
3. Application manager and application installer should work again
4. Go to application manager and uninstall the SIS file in which you installed the Doomboot variant
5. Download and install F-Secure Mobile Anti-Virus to remove any other virus dropped by the Doomboot variant
http://www.europe.f-secure.com/estore/avmobile.shtml
or with mobile itself
http://mobile.f-secure.com
6. Remove the F-Skulls with application manager as the phone is now cleaned
Disinfection for the cases when phone is already rebooted and cannot start up
CAUTION! this method will remove all data on the device including calendar and
phone numbers
1. Power off the phone
2. Hold following three buttons down "answer call" + "*" + "3"
3. Keep holding the buttons and power on the phone
4. Depending on the model, you either get text "formatting" or startup dialog that
asks for initial phone settings
5. Your phone is now fomatted and can be used again
Installation to system
Doomboot.I installs corrupted system binary into C:\ drive of the phone.
When phone boots this corrupted binary will be loaded instead of the correct
ones, and the phone will crash at boot.
Spreading in
"exoVirusStop v 2.13.19.sis"
Payload
Installs corrupted system binaries and pirate copied version of ExoVirusStop anti virus.
