Trojan:SymbOS/Cardblock.A is a trojanized version of the Symbian application InstantSis created by Biscompute.
F-Secure Mobile Security is capable of detecting and deleting the Cardblock.A trojan. However Cardblock.A deletes itself upon the triggering of the payload, so actual disinfection of the device is not necessary.
As long as the phone has not been rebooted after the Cardblock.A infection, the MMC contents are still accessible and can be copied to a PC. Use PC sync software to copy the card contents to a PC and from there to another card.
Prevent future infections with F-Secure Mobile Security
The trojan is distributed in a file named:
When installed, Cardblock.A appears be a cracked version of InstallSis providing the user with the ability to repack already installed SIS files and to copy them to another device.
However, when the user tries to use Cardblock.A to copy an application, a payload triggers that blocks the MMC memory card of the phone and deletes critical system and mail directories.
Blocking the memory card is done by setting a random password to the card. After the phone has been rebooted once, the card is no longer accessible on the phone or any other device, without entering the password. As the password is a random code that is not provided to the user, the card and its contents are unusable until unlocked.
Deleting system directories destroys information about installed applications, users MMS and SMS messages, phone numbers stored on the phone, and other critical system data.
Phones using Symbian OS 7.0 or older, such as the Nokia 6670 and 6600, can recover from deleted system directories at the next boot.
However, phones using Symbian OS 8.1a, such as the Nokia 6630, cannot recover the system directories, and thus fail to boot properly and display a message that instructs that the phone be taken into maintenance. Such phones can be recovered with a hard format operation described in the disinfection instructions.
If you have installed Cardblock.A and triggered the payload, do not reboot the phone before using sync software to make a backup of the card contents.
Cardblock.A blocks the MMC card inserted into the phone by generating a random password and setting this password to the MMC card. If the device has the MMC card open when the payload triggers, the card is still accessible until it is removed from the device or the device reboots.
After rebooting, the card cannot be accessed without guessing the correct password, which is quite improbable.
Cardblock.A deletes following directories from the device:
Deleting these directories destroys data on most system applications, such as the phone book , SMS and MMS messaging. Also, the installation information of all installed applications are destroyed, so that many of the third party applications become unusable and cannot be uninstalled anymore.
F-Secure Mobile Anti-Virus for Symbian detects this malware starting from the update build number 51.