Trojan:SymbOS/Cardtrap.A

Classification

Malware

Trojan

SymbOS

Trojan:SymbOS/Cardtrap.A

Summary

Trojan:SymbOS/Cardtrap.A infects devices running the Symbian S60 operating system and tries to disable large number of system and third party applications.

Removal

Disinfection

The Cardtrap.A disables Application manager to prevent it's uninstallation but it does not prevent installation of Anti-Virus. F-Secure Mobile Anti-Virus can detect and disinfect the files Cardtrap.A uses to disable the phone.

  • Open web browser on the phone
  • Go to http://mobile.f-secure.com
  • Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
  • Download the file and select open after download
  • Install F-Secure Mobile Anti-Virus
  • Go to applications menu and start Anti-Virus
  • Activate Anti-Virus and scan all files. Anti-Virus then removes files that block application manager and other critical functions.
  • Go to application manager and uninstall the file in which the Cardtrap.A was installed.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Cardtrap.A also installs Windows malware on the phone's memory card. The trojan is distributed in a malicious SIS file named 'Black_Symbian v0.10.sis '.

Execution

On installation, the trojan will replace the main executable of several third party applications by overwriting their main executable file.These programs must be reinstalled to repair the damage. The Cardtrap.A installs Windows worms Win32/Padobot.Z and Win32/Rays to the phone memory card. Win32/Rays is copied with name System.exe and has the same icon as a system folder in the memory card, so if the user is tries to read the card via a PC, he might accidentally execute Win32/Rays.Padobot.Z is copied along with an autorun file that points to the Padobot.Z executable, so that if the card is inserted into a PC using Windows, the autorun tries to execute Padobot.Z. We tried this feature with Windows XP SP2 and Windows 2000, and could not get autorun to work. But the autorun feature might work with some Windows installations.