Threat Descriptons



Category :


Type :


Platform :


Aliases :

SymbOS/Cardtrap.B, Trojan:SymbOS/Cardtrap.B


Trojan:SymbOS/Cardtrap.B is a minor variation of Cardtrap.A; the main differences are that Cardtrap.B drops corrupted binaries from Doomboot.A and copies one additional copy of Win32/Padobot.Z to memory card.


A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The trojan is distributed in a malicious SIS file named 'CamcorderPro v3.00 final.Sis'.


When installed, Cardtrap.B will replace the main executable of several third party applications by overwriting their main executable file. These programs must be reinstalled to repair the damage.

Cardtrap.C also drops components from SymbOS/Doomboot.A, which prevent the phone from booting. So if your phone is infected with Cardtrap.C it is important not to reboot the phone before disinfecting it.

Cardtrap.B installs Windows worms Win32/Padobot.Z and Win32/Rays to the phone memory card. Win32/Rays is copied with name System.exe and has the same icon as System folder in the memory card, so that a user is trying to read the contents of card with PC might accidentally execute the Win32/Rays.

The Padobot.Z is copied along with autorun file that points to the Padobot.Z executable, so that if the card is inserted into PC using Windows the autorun tries to execute Padobot.Z. Another copy of Padobot.Z is copied to System/Apps directory with name Apps.exe, using the same kind of social engineering as Win32/Rays.

We tried this feature with Windows XP SP2 and Windows 2000, and could not get autorun to work. But the autorun feature might work with some Windows installations.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.