SymbOS/CardBlock.A (F-SECURE)....user posted image


Description:

SymbOS/CardBlock.A contains none of the previously found trojan but this trojan capable deleting the phone system data file and it will block the memory card from being accessed.

Affected Platforms:

Tested on:

· Nokia 6680
. Nokia 3660


Affected:

Nokia 6680 ONLY

Analysis/Observation:

This trojan was distributed in an application file and it is spreading in instantsis.v2.1.cracked.by.binzpda.SIS.


Symtomps:

When user try to install this suspicious file, the image below shown is the screenshoot taken during installation process:

user posted image

SymbOS/CardBlock.A claims to be a Series 60 third party application. Upon installation an agreement will be shown and ask user if he or she agree with those terms listed and proceed to the next step to finalize the installation process.

After installation completed, the application icon will be shown in the phone as shown below:

user posted image

Method of Infection

This trojan will executes itself only while user try to access them.

While user try to access the suspicious application, it will looks like the image below:



While user try to access the options panel and proceed to "Send>Via Bluetooth", the trojan will start to executes itself and the phone will started to hang and lagging and the memory card will locked by it with random password code.

It will generates different password to locked up the media card. Further info will be confirmed by Anti-Virus firm. I personally have scarified my 64MB DV-RS-MMC for testing this trojan and it prove to me that it is capable locking the memory card. Luckily mine is ZITRON set, no worries for me. tongue.gif tongue.gif tongue.gif

While one of the component file being disassembled, the following strings was observed that will delete the phone system data:

C:\system\install
C:\system\data
C:\system\libs
C:\system\mail
C:\system\bootdata

After those file was damaged and it will prevents the phone from starting up after the phone is rebooted and shows the following error messages:

'Phone startup failed, contact the retailer. '


Prevention:

SymbOS/CardLock.A requires that the user intentionally install them upon the device. As always, users should never install third party application from unknown site. According to the security expert that I met him, this trojan is really spreading widely in WAREZ site, please take alert about it!

How to uninstall:

If the phone has been rebooted, hard reset method must be apply to the phone and password protected memory card can be formatted in NOKIA 9210 only, else, user may advise to take back to the retailer to be sent back to the factory.


Virus analysis report write up by CALVIN TANG © on 1st October 2005.

Special thanks to security expert, Jimmy Shah for his kind advise on this trojan.