First posted on 25 April 2007.
Source: SecurityHome
Cardblock.A is also known as SymbOS/Cardblock.A.
SymbOS/Cardblock.A is a trojanized version of the Symbian application InstantSis created by Biscompute.
SymbOS/Cardblock.A is a trojanized version of the Symbian application InstantSis created by Biscompute.
When installed, Cardblock.A appears be a cracked version of InstallSis providing the user with the ability to repack already installed SIS files and to copy them to another device.
However, when the user tries to use Cardblock.A to copy an application, a payload triggers that blocks the MMC memory card of the phone and deletes critical system and mail directories.
Blocking the memory card is done by setting a random password to the card. After the phone has been rebooted once, the card is no longer accessible on the phone or any other device, without entering the password. As the password is a random code that is not provided to the user, the card and its contents are unusable until unlocked.
Deleting system directories destroys information about installed applications, users MMS and SMS messages, phone numbers stored on the phone, and other critical system data.
Phones using Symbian OS 7.0 or older, such as the Nokia 6670 and 6600, can recover from deleted system directories at the next boot.
However, phones using Symbian OS 8.1a, such as the Nokia 6630, cannot recover the system directories, and thus fail to boot properly and display a message that instructs that the phone be taken into maintenance. Such phones can be recovered with a hard format operation described in the disinfection instructions.
If you have installed Cardblock.A and triggered the payload, do not reboot the phone before using sync software to make a backup of the card contents.
Spreads Via:
- instantsis.v2.1.cracked.by.binzpda.sis
Payload
Blocks the MMC Card
Cardblock.A blocks the MMC card inserted into the phone by generating a random password and setting this password to the MMC card. If the device has the MMC card open when the payload triggers, the card is still accessible until it is removed from the device or the device reboots.
After rebooting, the card cannot be accessed without guessing the correct password, which is quite improbable.
Deleting System Directories
Cardblock.A deletes following directories from the device:
- C:systemootdata
- C:systemdata
- C:systeminstall
- C:systemlibs
- C:systemmail
Deleting these directories destroys data on most system applications, such as the phone book , SMS and MMS messaging. Also, the installation information of all installed applications are destroyed, so that many of the third party applications become unusable and cannot be uninstalled anymore.
Last update 25 April 2007
TOP