Trend Micro Virus Alert: SYMBOS_CARDTRP.A

Discussion in 'malware problems & news' started by Randy_Bell, Sep 23, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    SYMBOS_CARDTRP.A is destructive Symbian malware that affects mobile devices running on Symbian operating system with the Series 60 Platform user interface. The malware is currently spreading in-the-wild and infecting the following phone models:

    * Nokia 3600
    * Nokia 3620
    * Nokia 3650
    * Nokia 3660
    * Nokia 6600
    * Nokia 6620
    * Nokia 7610
    * Nokia 7650
    * Nokia N-Gage
    * Panasonic X700
    * Sendo X
    * Siemens SX1

    This malware originates in Symbian Series 60 devices, but has the potential to spread to PCs running the Microsoft Windows Operating System. There are two methods by which the mobile device can be infected:

    * Receiving the malware manually via Bluetooth or MMS
    * Downloading and installing it from the Web

    Here’s how it works:

    * Like many of its predecessors, SYMBOS_CARDTRP.A propagates via Bluetooth (within a 10 meter range). The infection then resides in the memory card of the mobile device.
    * This malware also overwrites normal applications installed on the affected mobile device with malformed copies, thus preventing those applications from working properly.
    * This malware contains the additional capability to infect Windows-based PCs from the phone. If the user inserts the infected memory card into their PCs card slot, the infection has the potential to infect the PC, then attempts to spread to other PCs from there.
    * SYMBOS_CARDTRP.A drops the following 4 files into the E:\ directory (commonly utilized by the memory card):
    o fsb.exe, detected by Trend Micro as BKDR_BERBEW.Q, attempts to compromise machines and steal password information
    o buburuz.ICO, which masquerades as the icon file for the memory card
    o autorun.inf, which attempts to automatically execute fsb.exe
    o SYSTEM.exe, detected by Trend Micro as WORM_WUKILL.B
    * When the memory card is inserted into a Windows computer, the file autorun.inf will attempt to execute fsb.exe. Also, though the file SYSTEM.exe does not contain an automatic startup routine, it has the appearance of a legitimate folder icon to lure
    users into executing it.
    * If successfully executed, the malware then launches WORM_WUKILL.B, which attempts to spread the infection to other PCs.

    If you would like to download a free, trial module to protect against this threat, visit
Thread Status:
Not open for further replies.