Trojan:SymbOS/Fontal.A is distributed in a malicious SIS file named 'Kill Saddam By OID500.sis'. If executed, it installs a corrupted Font file onto the device, causing the device to fail at next reboot.
F-Secure Mobile Security will detect Fontal.A and delete the trojan's components.
After disinfecting the phone, remove the remaining empty directories by going to the Application Manager and uninstalling the SIS file in which Comwarrior arrived (Kill Saddam By OID500.sis).
1. Install file manager on the phone
2. Go to c:\System\apps\appmngr
3. Delete appmngr.app
4. Go to the application manager
5. Uninstall the SIS file in which the Fontal.A was installed in
CAUTION This method will remove all data on the device, including calendar and phone numbers.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
In addition to installing the corrupted font file, Fontal.A also damages the application manager so that it cannot be uninstalled. No new applications can be installed before the phone is disinfected.
If a phone is infected with Fontal.A, it must not be rebooted as the trojan will prevent the phone from booting again.
If the phone is rebooted, it will try to boot, but will be forever stuck on phone startup and cannot be used.
When the Fontal.A SIS file is installed the installer copies files into following locations:
The appmngr.app is a non-functional file that disables the application manager; the kill sadam.app is a hexedited utility that has been modified to show text reboot and has no other significant function for the trojan.