Trojan:SymbOS/Cardtrap.B

Classification

Malware

Trojan

SymbOS

SymbOS/Cardtrap.B, Trojan:SymbOS/Cardtrap.B

Summary

Trojan:SymbOS/Cardtrap.B is a minor variation of Cardtrap.A; the main differences are that Cardtrap.B drops corrupted binaries from Doomboot.A and copies one additional copy of Win32/Padobot.Z to memory card.

Removal

Cardtrap.B disables Application manager to prevent it from uninstalling but it does not prevent installation of Anti-Virus. F-Secure Mobile Anti-Virus can detect and disinfect the files Cardtrap.B uses to disable the phone.

  • Open web browser on the phone
  • Go to http://mobile.f-secure.com
  • Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
  • Download the file and select open after download
  • Install F-Secure Mobile Anti-Virus
  • Go to applications menu and start Anti-Virus
  • Activate Anti-Virus and scan all files. Anti-Virus then removes files that block application manager and other critical functions
  • Go to application manager and uninstall the file in which the Cardtrap.B was installed
Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The trojan is distributed in a malicious SIS file named 'CamcorderPro v3.00 final.Sis'.

Execution

When installed, Cardtrap.B will replace the main executable of several third party applications by overwriting their main executable file. These programs must be reinstalled to repair the damage.

Cardtrap.C also drops components from SymbOS/Doomboot.A, which prevent the phone from booting. So if your phone is infected with Cardtrap.C it is important not to reboot the phone before disinfecting it.

Cardtrap.B installs Windows worms Win32/Padobot.Z and Win32/Rays to the phone memory card. Win32/Rays is copied with name System.exe and has the same icon as System folder in the memory card, so that a user is trying to read the contents of card with PC might accidentally execute the Win32/Rays.

The Padobot.Z is copied along with autorun file that points to the Padobot.Z executable, so that if the card is inserted into PC using Windows the autorun tries to execute Padobot.Z. Another copy of Padobot.Z is copied to System/Apps directory with name Apps.exe, using the same kind of social engineering as Win32/Rays.

We tried this feature with Windows XP SP2 and Windows 2000, and could not get autorun to work. But the autorun feature might work with some Windows installations.

Date Created: -

Date Last Modified: -