losoka
11th Nov '07 Sun, 13:35
Trojan horse program runs on Symbian Series 60 mobile phones and prevents them from restarting.
Paul Roberts, IDG News Service
Antivirus company F-Secure is warning mobile phone users about a new malicious software program that infects phones using the Symbian Series 60 operating system and prevents the phones from starting.
The Trojan horse program, dubbed Fontal.A, is not a worm or virus, and would have to be downloaded by the Symbian phone's owner to infect the phone. It is just the latest example of malicious code, including worms and viruses, that targets mobile devices.
Fontal.A was discovered on Wednesday and is transferred to mobile phones as an SIS-format installer file called "Kill Saddam By OID500.sis," F-Secure says.
Once installed, the program damages the phone so that the device cannot reboot. Mobile phone users who are infected with Fontal should not turn off their phone before removing the Trojan horse, F-Secure says. The company has posted instructions for removing the Trojan horse from infected phones.
Don't Download It
Unlike earlier threats to mobile devices, such as the Cabir worm, Fontal does not attempt to spread from phone to phone. Phone users can be infected only by downloading the SIS file containing the Trojan horse from a Web site or from a peer-to-peer file-sharing network, F-Secure says.
Malicious programs that run on mobile platforms such as Symbian have become more common since Cabir, the first mobile worm, was identified in August 2004. Variants of Cabir have since spread to 16 countries, including the United States, Japan, and France. In March, antivirus companies also identified the first mobile phone worm, CommWarrior, which spreads using MMS (Mobile Messaging Service).
Trojan horse programs have been proliferating, as well. In March antivirus companies warned about the Drever.C Trojan horse, which infected Symbian phones and attempted to stop mobile antivirus software running on those devices.
F-Secure Malware Information Pages: Fontal.A
[Summary] | [Disinfection] | [Detailed Description]
Name : Fontal.A
Alias: Trojan:SymOS/Fontal.A, SymbOS/Fontal.A
Type: Trojan
Category: Malware
Platform: SymbOS
Summary
Fontal.A is a SIS file trojan that installs corrupted Font file onto the infected device, thus causing the device to fail at next reboot.
Disinfection
Disinfection
F-Secure Mobile Anti-Virus will detect Fontal.A and delete the trojan's components.
1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files
After disinfecting you phone, you can remove remaining empty directories by going to application manager and uninstalling the SIS file in which Comwarrior arrived (Kill Saddam By OID500.sis).
Manual disinfection
1. Install file manager on the phone
2. Go to c:\System\apps\appmngr
3. Delete appmngr.app
4. Go to the application manager
5. Uninstall the SIS file in which the Fontal.A was installed in
Disinfection for the cases when phone is already rebooted and cannot start up
CAUTION! this method will remove all data on the device including calendar and phone numbers.
1. Power off the phone
2. Hold following three buttons down "answer call" + "*" + "3"
3. Keep holding the buttons and power on the phone
4. Depending on the model, you either get text "formatting" or startup dialog that asks for initial phone settings
5. Your phone is now fomatted and can be used again
If a phone is infected with Fontal.A, it must not be rebooted as the trojan will prevent the phone from booting again.
If the phone is rebooted, it will try to boot, but will be forever stuck on phone startup and cannot be used.
In addition to installing the corrupted font file, Fontal.A also damages the application manager so that it cannot be uninstalled, and no new applications can be installed before the phone is disinfected.
Spreading Vectors
* Kill Saddam By OID500.sis
Infection
When the Fontal.A SIS file is installed the installer copies files into following locations:
* \system\apps\appmngr\appmngr.app
* \system\apps\kill sadam\kill sadam.app
* \system\apps\fonts\kill sadam font.gdr
The appmngr.app is a non-functional file that disables the application manager; the kill sadam.app is a hexedited utility that has been modified to show text reboot and has no other significant function for the trojan.
Paul Roberts, IDG News Service
Antivirus company F-Secure is warning mobile phone users about a new malicious software program that infects phones using the Symbian Series 60 operating system and prevents the phones from starting.
The Trojan horse program, dubbed Fontal.A, is not a worm or virus, and would have to be downloaded by the Symbian phone's owner to infect the phone. It is just the latest example of malicious code, including worms and viruses, that targets mobile devices.
Fontal.A was discovered on Wednesday and is transferred to mobile phones as an SIS-format installer file called "Kill Saddam By OID500.sis," F-Secure says.
Once installed, the program damages the phone so that the device cannot reboot. Mobile phone users who are infected with Fontal should not turn off their phone before removing the Trojan horse, F-Secure says. The company has posted instructions for removing the Trojan horse from infected phones.
Don't Download It
Unlike earlier threats to mobile devices, such as the Cabir worm, Fontal does not attempt to spread from phone to phone. Phone users can be infected only by downloading the SIS file containing the Trojan horse from a Web site or from a peer-to-peer file-sharing network, F-Secure says.
Malicious programs that run on mobile platforms such as Symbian have become more common since Cabir, the first mobile worm, was identified in August 2004. Variants of Cabir have since spread to 16 countries, including the United States, Japan, and France. In March, antivirus companies also identified the first mobile phone worm, CommWarrior, which spreads using MMS (Mobile Messaging Service).
Trojan horse programs have been proliferating, as well. In March antivirus companies warned about the Drever.C Trojan horse, which infected Symbian phones and attempted to stop mobile antivirus software running on those devices.
F-Secure Malware Information Pages: Fontal.A
[Summary] | [Disinfection] | [Detailed Description]
Name : Fontal.A
Alias: Trojan:SymOS/Fontal.A, SymbOS/Fontal.A
Type: Trojan
Category: Malware
Platform: SymbOS
Summary
Fontal.A is a SIS file trojan that installs corrupted Font file onto the infected device, thus causing the device to fail at next reboot.
Disinfection
Disinfection
F-Secure Mobile Anti-Virus will detect Fontal.A and delete the trojan's components.
1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files
After disinfecting you phone, you can remove remaining empty directories by going to application manager and uninstalling the SIS file in which Comwarrior arrived (Kill Saddam By OID500.sis).
Manual disinfection
1. Install file manager on the phone
2. Go to c:\System\apps\appmngr
3. Delete appmngr.app
4. Go to the application manager
5. Uninstall the SIS file in which the Fontal.A was installed in
Disinfection for the cases when phone is already rebooted and cannot start up
CAUTION! this method will remove all data on the device including calendar and phone numbers.
1. Power off the phone
2. Hold following three buttons down "answer call" + "*" + "3"
3. Keep holding the buttons and power on the phone
4. Depending on the model, you either get text "formatting" or startup dialog that asks for initial phone settings
5. Your phone is now fomatted and can be used again
If a phone is infected with Fontal.A, it must not be rebooted as the trojan will prevent the phone from booting again.
If the phone is rebooted, it will try to boot, but will be forever stuck on phone startup and cannot be used.
In addition to installing the corrupted font file, Fontal.A also damages the application manager so that it cannot be uninstalled, and no new applications can be installed before the phone is disinfected.
Spreading Vectors
* Kill Saddam By OID500.sis
Infection
When the Fontal.A SIS file is installed the installer copies files into following locations:
* \system\apps\appmngr\appmngr.app
* \system\apps\kill sadam\kill sadam.app
* \system\apps\fonts\kill sadam font.gdr
The appmngr.app is a non-functional file that disables the application manager; the kill sadam.app is a hexedited utility that has been modified to show text reboot and has no other significant function for the trojan.