Threat Description

RommWar.A

Details

Aliases: RommWar.A
Category: Malware
Type: Trojan
Platform: SymbOS

Summary



SymbOS/RommWar.A is a malicious SIS trojan that installs a malfunctioning system component that cause different behaviour depending on the ROM software version in the device. Different effects witnessed range from freezing of the device requiring a restart, to disabling the power button on the device, or in some cases no apparent effect on device at all.



Removal



Manual disinfection

Depending on the effect caused by SymbOS/RommWar.A, removal of the malfunctioning components might be possible by going to application manager and uninstalling the SIS file in which SymbOS/RommWar.A arrived.

Disinfection for the cases when phone cannot start up

CAUTION! this method will remove all data on the device including calendar and phone numbers:

  • Power off the phone
  • Hold the following three buttons down - "answer call" + "*" + "3"
  • Keep holding down the buttons and power on the phone
  • Depending on the model, you will either get text that reads "formatting" or a start-up dialog that asks for the initial phone settings
  • Your phone is now formatted and can be used again


Technical Details



Installation to System

SymbOS/RommWar.A installs a malfunctioning system binary into the C: drive of the phone and a bootstrap component that executes the malfunctioning system binary. This is followed by different effect depending on the version of the ROM software in the device. Effects witnessed vary from the freezing of the device, to disabling of the power button, or sometimes no apparent effect at all.

Payload

Installs a corrupted system binary and a bootstrap component.

In the case of freezing the device, shortly after the device infected with SymbOS/RommWar.A restarts, it shows a notification similar to the picture above. When this notification is displayed the only working function on the device is the option to power-off.



Detection


F-Secure Mobile Anti-Virus for Symbian detects this malware starting from the
Detection Type: Mobile
Database: update build number 84



Description Created: Juha-Pekka Heikkila, April 6, 2006
Technical Details: Juha-Pekka Heikkila, April 6, 2006


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Keep your mobile device protected

F-Secure Mobile Security will keep your mobile device protected on the go and enable you to find it in case you lose it

Learn More