SYMBOS_LOCKNUT.A

Discussion in 'malware problems & news' started by Randy_Bell, Feb 11, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    SYMBOS_LOCKNUT.A is memory-resident malware that infects mobile devices running Symbian 7.0s Operating System, but does not propagate. It uses a vulnerability in Symbian OS v7.0s to cause a system process crash which locks the mobile device. It drops several files and folders in the C: directory of the phone, which disable several special buttons of the phone, leaving only the kepyad buttons enabled. It also infects mobile devices running Symbian OS v6.1 and v7.0 but fails to cause the system to crash.

    This malware usually arrives as an installation file with the following file names:

    * Patch_v1.sis
    * Patch.sis

    Upon installation, this malware drops the following files and folders in the C: directory of the phone:

    * system\apps\gavno\gavno.app
    * system\apps\gavno\gavno.rsc
    * system\apps\gavno\gavno_caption.rsc

    It also drops a copy of itself as PATCH.SIS in the C: directory of the phone. These files are specially crafted to disable most of the special buttons of the phone, leaving only the keypad buttons enabled. It can also infect mobile devices running Symbian OS v6.1 and v7.0 but fails to cause the system to crash.

    You may download Trend Micro's SYMBOS_LOCKNUT Clean Tool to a memory card with an uninfected device.

    SYMBOS_LOCKNUT.A is detected and cleaned by Trend Micro pattern file #2.389.02 and above. Read additional information about SYMBOS_LOCKNUT.A.

    Learn more about Trend Micro Mobile Security.
     
Thread Status:
Not open for further replies.