NEWS FROM THE LAB - Wednesday, September 21, 2005

First Symbian trojan that tries to attack PC Posted by Jarno @ 13:47 GMT

cardtrap_a_folder_crop (15k image)

Now as the Bagle situation has calmed down we have time to blog about other interesting case we got yesterday.

SymbOS/Cardtrap.A is otherwise unremarkable Symbian trojan, except that it also tries to infect users PC if user inserts the phone memory card to PC.

When infecting Symbian phone the Cardtrap.A copies two Windows worms (Win32/Padobot.Z and Win32/Rays) to the memory card of the phone. Padobot.Z is copied with autorun.inf file in attempt to start automatically if the card is inserted to PC using windows. Rays is copied with filename SYSTEM.EXE and same icon as the System folder, this is done as social engineering attempt so that user would click on Rays instead of System folder.

To our knowledge, no Windows version supports autorun from a memory card, but it still might work with some Windows version and third party driver combination.

The goal of the trojan is most likely to cause user to infect his PC when he is trying disinfect his phone. A typical reaction of more advanced user who would encounter trojan like Cardtrap, would be to insert the phone memory card to PC to copy file manager or disinfection tool to the card. Only this time a careless user might to get his PC infected in process.

Both Padobot.Z and Rays are detected by F-Secure Anti-Virus, and we have added detection and disinfection for them also for F-Secure Mobile Anti-Virus