Locknut.B is a malicious SIS file trojan that pretends to be
patch for Symbian Series 60 mobile phones.
When installed Locknut.B drops a binary that will crash a
critical System component, that will prevent any application
from being launched in the phone. Thus effectively locking
the phone.
The Locknut.B will also drop a copy of Cabir.V into the device,
but it will not start automatically.
And is harmless anyway as the Locknut.B kills all applications
on the infected phone, including Cabir.V that is installed
from the same SIS file.
Even if Locknut.B is disinfected the Cabir.V still wont start, as
it is installed into wrong directory in the infected phone.
If user starts Cabir.V manually, after disinfecting locknut, the
Cabir.V will spread as pure Cabir.V and will not transfer Locknut.B
into other devices.
Detailed Description
Installation to system
Locknut.B is a SIS file that crashes critical system ROM binary with non-functional
stub file. When Locknut.B sis file is installed the files will be installed into
following locations:
c:\system\apps\gavnor\gavnor.app
c:\system\apps\gavnor\gavnor.rsc
c:\system\apps\gavnoreturn\flo.mdl
c:\system\apps\gavnoreturn\gavnoreturn.app
c:\system\apps\gavnoreturn\gavnoreturn.rsc
c:\system\apps\gavnoreturn\gavnoreturn_caption.rsc
Some of the file dropped by Gavno contain texts, intended as messages
from trojan author.
Spreading in
MMFpatch.sis
Payload
Locknut.B drops corrupted binary file that will cause crash in a critical operating
system component. The locknut.B also drops Cabir.V, which does not start on the
phone, unless executed on purpose after disinfection.
![](/images/pixel.gif"){kind=tracking}
