Locknut.A is a malicous SIS file trojan that prentends to be
patch for Symbian Series 60 mobile phones.
When installed Locknut.A drops binaries that will crash a
critical System component, that will prevent any application
from being launched in the phone. Thus effectively locking
the phone.
There are also claims that Locknut would disable calling
functionality, so that user couldn't make calls with infected
phone. But we could not reproduce this effect with any phones
we have.
Also Locknut.A will only work with devices that have Symbian OS
7.0S or newer, devices that use Symbian OS 6.0 or 6.1 are
unaffected.
Locknut is targeted against Symbian Series 60 devices, but also
series 70 devices, such as Nokia 7710 are vulnerable to Locknut.
However when trying to install Skulls trojan on Nokia 7710,
user will get a warning that the SIS file is not intended for
the device, so risk of accidental infection is low.
Some AV companies call this trojan Gavno, but since this word
means rather vulgar term in Russian. AV community has decided
to rename it as Locknut.
There are also versions of Locknut that include Cabir.B in same
SIS file, that some companies call Gavno.B. But since the actual
trojan functionality is totally identical to Locknut.A we call
both samples Locknut.A
The Cabir.B included in the Locknut.A samples is harmless as the
Locknut kills all applications on the infected phone, including
Cabir.B that is installed from the same SIS file.
Even if Locknut.B is disinfected the Cabir.B still wont start, as
it is installed into wrong directory in the infected phone.
If user starts Cabir.B manually, after disinfecting locknut, the
Cabir.B will spread as pure Cabir.B and will not transfer Locknut.A
into other devices.
1. Install F-Locknut.sis into infected phones memory card with a clean phone
2. Put the memory card with F-Locknut into infected phone
3. Start up the infected phone, the application menu should work now
4. Go to application manager and uninstall the SIS file in which you installed the locknut variant
5. Download and install F-Secure Mobile Anti-Virus to remove any possibly Cabirs dropped by the locknut variant
http://www.europe.f-secure.com/estore/avmobile.shtml
or with mobile itself
http://mobile.f-secure.com
6. Remove the F-Skulls with application manager as the phone is now cleaned
Detailed Description
Installation to system
Locknut.A is a SIS file that crashes critical system ROM binary with non-functional
stub file. When Locknut.A sis file is installed the files will be installed into
following locations:
c:\system\apps\gavno\gavno.app
c:\system\apps\gavno\gavno.rsc
c:\system\apps\gavno\gavno_caption.rsc
The Locknut.SIS will will also contain copy of itself that is copied into C:\
directory
Spreading in
patch_v1.sis and patch_v2.sis
Payload
Both versions of Locknut.A replace a critical system binary and the patch_v2.sis
will also drop Cabir.B, which will not be able to start on the phone.
![](/images/pixel.gif"){kind=tracking}
