Drever.C

Classification

Malware

-

-

Drever.C, SymbOS/Drever.C

Summary

Drever.C is a malicious SIS file trojan that attacks bootloader files of several mobile Anti-Virus programs, and tries to attack F-Secure Mobile Anti-Virus by overwriting its files.

The Drever.C attacks bootloader files of Kaspersky, Simworks and F-Secure Symbian Anti-Virus products.

In addition of trying to overwrite the bootloaders, the Drever.C will also try to cripple F-Secure Mobile Anti-Virus by replacing it's binaries with corrupted ones.

However as F-Secure Mobile Anti-Virus contains protection against any modification attempts of its own files, both attacks will fail when Anti-Virus is in realtime scan mode as it is by default.

If the F-Secure Mobile Anti-Virus is switched off, or in manual scan mode, which is basically same as switched off. The attack will damage Anti-Virus, but user can recover easily by re-installing Anti-Virus.

Removal

Drever.C can be disinfected easily by using F-Secure Mobile Anti-Virus available from https://www.f-secure.com/estore/avmobile.shtml

Or you can uninstall it by uninstalling the SIS file in which Drever.C was installed from using application manager:

  • 1. Open the application manager
  • 2. Uninstall New_bases_and_crack_for_antiviruses.sis
  • 3. Re-install your Anti-Virus

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Payload

When Drever SIS file is installed to the system it try to replace the bootloader files used by Kaspersky, Simworks and F-Secure Symbian Anti-Virus products with corrupted versions. In addition of bootloader files the Drever.C will also install corrupted binaries or F-Secure Mobile Anti-Virus and corrupted licence file of Simworks Anti-Virus.

If the device has F-Secure Mobile Anti-Virus with updated databases, the Drever.C will be detected before it can be installed. If the device does not have up to date databases, the install will still fail as attempt to overwrite F-Secure Anti-Virus files will crash the application installer, thus terminating the installation of Drever.C

The files are corrupted by manually editing them and writing text '123' into random locations in the files.

Some of the edited files contain strings intended as messages to AV vendors:

FSECURE MUST DIE!!!!!!
Please, don't make new antiviruses for my viruses and I stop make
viruses for your antiviruses. My target is Simworks!
=)
 

Spreading in: New_bases_and_crack_for_antiviruses.sis