Read-only archive of the All About Symbian forum (2001–2013) · About this archive
All About Symbian Forum Archive

Update on java virus posted a few months ago.

4 replies · 2,925 views · Started 03 June 2008

waxup 03 Jun 2008, 00:52

Hey everyone. I've found the virus that was present on my device. It appears that it is not from a java app at all.
The details are as follows:

SymbOS.Drever.A

Discovered: March 21, 2005
Updated: February 13, 2007 12:35:50 PM
Type: Trojan Horse
Systems Affected: EPOC

SymbOS.Drever.A is a Trojan horse that disables certain Symbian OS antivirus programs by overwriting their startup files.

When SymbOS.Drever.A is executed, it performs the following actions:

Arrives as a file named Antivirus.sis. When this file is executed, it creates the following files:

C:\system\apps\GavnoWin!\Gavnowin.app
C:\system\apps\GavnoWin!\Gavnowin.rsc
C:\system\apps\GavnoWin!\Gavnowin_caption.rsc
C:\system\apps\GavnoWinYou\Gavnowin.app
C:\system\apps\GavnoWinYou\Gavnowin.rsc
C:\system\apps\GavnoWinYou\Gavnowin_caption.app

Drops the following files, which overwrite the startup files used by some Symbian OS antivirus programs:

C:\system\recogs\AVBoot.mdl
C:\system\recogs\kl_antivirus.mdl

REMOVAL INSTRUCTIONS:

Removal instructions for hand held devices:

Install a file manager program on the device.

Enable the option to view the files in the system folder.

Navigate to the following folder:

C:\system\apps

Delete the following files:

GavnoWin!\Gavnowin.app
GavnoWin!\Gavnowin.rsc
GavnoWin!\Gavnowin_caption.rsc
GavnoWinYou\Gavnowin.app
GavnoWinYou\Gavnowin.rsc
GavnoWinYou\Gavnowin_caption.app

Navigate to the following folder:

C:\system\recogs

Delete the following files:

AVBoot.mdl
kl_antivirus.mdl

Reinstall your antivirus software.

Exit the file manager.

neilhoskins 03 Jun 2008, 07:31

But perhaps more importantly, I'm interested in the psychology / social engineering like where did it come from and how did they trick you into running it?

waxup 03 Jun 2008, 10:07

Well I initially thought it came from getjar (if you don't want me putting the site then just take it out admins) when I installed a game, but now I'm not so sure. I was installing a few things around that time, one of them being f-secure mobile which I got through a third party site. Many third party sites carry f-secure mobile, such as joiku, my-symbian, geekzone, softpedia etc. (although I cannot remember which site I had used and I am in no way stating that it was one of the sites previously mentioned, I'm merely using them as examples).

I would assume it came packaged within f-secure, as that would make the most sense, but I'm not 100% on that one. I doubt I will remember, as this happend some time ago now, sorry guys.

kontraband 03 Jun 2008, 10:51

theres an irony to getting a virus from a virus protection download. 😉

Although this virus in this case seems to only be looking to take the wall down, rather than actually do any other damage... which sounds a bit random... surely if it was looking to take out the virus protection it could have a call home option or be expecting more packets from somewhere with more malicious intensions.

Anyway, at least you sorted it waxup. Thanks for the updates.