Content

SymbOS/Cardblock.A

Type
Trojan
SubType
Discovery Date
10/14/2005
Length
Minimum DAT
4605 (10/14/2005)
Updated DAT
4605 (10/14/2005)
Minimum Engine
5.1.00
Description Added
10/14/2005
Description Modified
10/14/2005 9:39 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

SymbOS/Cardblock.A claims to be a pirated version of InstantSis, a SIS file re-packaging program.It is found in a SIS file named instantsis.v2.1.cracked.by_binzPDA.SIS”.

The malware must be run to activate the payload.If no user installed applications other than the malware exist on the phone, the payload will not activate. Otherwise, attempting to send the malware will activate the payload. Sending installed applications other than the malware will not trigger the payload.

An example:

  1. FExplorer is installed on the phone.
  2. SymbOS/Cardblock.A is then installed.
  3. The Trojan is then run.
  4. The InstantSis file is selected for sending.

Sending activates the payload.

SymbOS/Cardblock.A deletes itself as a side effect of its payload.

Symptoms

SymbOS/Cardblock.A deletes the following system directories:

  • C:\system\install
  • C:\system\data
  • C:\system\libs
  • C:\system\mail
  • C:\system\bootdata

If a memory card is installed it will be locked with a randomly generated password.

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

SymbOS/Cardblock.A is a trojan horse that emulates the Instantsis program.When used, it deletes many important system directories and all user installed programs.SymbOS/Cardblock.A also locks the memory card with a random password.

Characteristics

Characteristics -

SymbOS/Cardblock.A claims to be a pirated version of InstantSis, a SIS file re-packaging program.It is found in a SIS file named instantsis.v2.1.cracked.by_binzPDA.SIS”.

The malware must be run to activate the payload.If no user installed applications other than the malware exist on the phone, the payload will not activate. Otherwise, attempting to send the malware will activate the payload. Sending installed applications other than the malware will not trigger the payload.

An example:

  1. FExplorer is installed on the phone.
  2. SymbOS/Cardblock.A is then installed.
  3. The Trojan is then run.
  4. The InstantSis file is selected for sending.

Sending activates the payload.

SymbOS/Cardblock.A deletes itself as a side effect of its payload.

Symptoms

Symptoms -

SymbOS/Cardblock.A deletes the following system directories:

  • C:\system\install
  • C:\system\data
  • C:\system\libs
  • C:\system\mail
  • C:\system\bootdata

If a memory card is installed it will be locked with a randomly generated password.

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A