NEWS FROM THE LAB - Tuesday, February 1, 2005

Disinfection tool for SymbOS/Locknut.A (Gavno.A and Gavno.B) published Posted by Jarno @ 11:16 GMT

We just published a detection and disinfection tool for Symbian trojan Locknut.A, which some AV companies call Gavno.A and Gavno.B. The whole case is rather interesting for completely different reasons than it being dangerous trojan.

Locknut.A is a Symbian SIS file trojan, that replaces critical system binary, causing the phone to lock down so that no applications can be used. This locking is quite similar to the one caused by Skulls variants, but more complete.

Locknut.A is also claimed to prevent user from calling with the phone, but we could not observe such behavior. All the phones we infected with Locknut.A were able to call just fine, all smartphone
features were disabled, but calling works fine.

Agreed upon name by the AV community for this trojan is Locknut.A not Gavno. The original name given by the AV company, that discovered it, is the original name given by the author of the Virus so, which we don't use by policy. Also the word Gavno is rather vulgar term for feces in Russian and also close to that in Bulgarian.

Also there is only one Locknut variant, there are several samples, so some AV companies call them A and B variant. But the variants are functionally identical, the only difference is that some samples contain Cabir.B added into the installation package, but this does not constitute as a new variant.

We have created a disinfection tool that can unlock phone infected by Locknut.A so that the
phone can be disinfected with help of another phone.

F-Locknut tool is able to disinfect phone even if the Locknut has locked the phone completely. The disinfection is done by installing the F-Locknut into a memory card with a clean phone. And then inserting the card with F-Locknut into infected phone and booting, during boot up the F-Locknut frees the critical system files so that use can access menu again and install an Anti-Virus for full disinfection.