SI
SI
discoversearch

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor.  We ask that you disable ad blocking while on Silicon Investor in the best interests of our community.  If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.
Microcap & Penny Stocks : TGL WHAAAAAAAT! Alerts, thoughts, discussion.
 Public ReplyPrvt ReplyMark as Last ReadFilePrevious 10Next 10PreviousNext  
To: Jim Bishop who started this subject6/16/2004 11:28:03 AM
From: jmhollen   of 150070
 
FYI: Mobile users: Beware of Cabir

Chennai, June 16. Mobile users beware. The first virus has attacked your instruments and you are now as vulnerable as PC users.

here is a detailed note on Cabir, the virus that infects mobile phones, though it has currently been diagnosed as being non-lethal.

This entire note has been sourced from the anti-virus and IT security firm F-Secure.

NAME: Cabir ALIAS: EPOC/Cabir.A, Worm.Symbian.Cabir.a

Cabir is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the SIS file the worm activates and starts looking for new devices to infect over bluetooth.

Please note that Caribe worm can reach only mobile phones that support bluetooth, have bluetooth switched on, and are in discoverable mode.

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

How it infects

When user clicks on the caribe.sis in phone messaging inbox the phone will display a warning dialog.

If user clicks yes the phone will ask normal installation question

If user clicks yes the Cabir worm will activate and show a dialog that contains the name that virus author wants to give to the worm and the author's initial as and group initial 29A .

Details

Cabir replicates over bluetooth in caribe.sis file that contains the worm main executable caribe.app, system recognizer flo.mdl and resource file caribe.rsc. The SIS file contains autostart settings that will automatically execute caribe.app after the SIS file is being installed.

When the caribe.sis file is installed the installer will copy the worm executables into following locations:c:\system\apps\caribe\caribe.rsc c:\system\apps\caribe\caribe.app c:\system\apps\caribe\flo.mdl

When the caribe.app is executed it copies the following files:flo.mdl to c:\system\recogs caribe.app to c:\system\symbiansecuredata\caribesecuritymanager\ caribe.rsc to c:\system\symbiansecuredata\caribesecuritymanager\

This is most likely done in case user installs the application to memory card.

Then the worm will recreate the caribe.sis file from worm component files and data blocks that are in caribe.app.

After recreating the caribe.sis file the worm starts to look for all visible bluetooth devices and send the SIS file to them.

Disinfection

F-Secure Anti-Virus for Symbian 60 series will detect the Cabir and delete the worm components. After deleting worm files you can delete the directory c:\system\symbiansecuredata\caribesecuritymanager\

Or you can disinfect the system manually by deleting files:

c:\system\apps\caribe\caribe.rsc c:\system\apps\caribe\caribe.app c:\system\apps\caribe\flo.mdl c:\system\recogs\flo.mdl c:\system\symbiansecuredata\caribesecuritymanager\caribe.app c:\system\symbiansecuredata\caribesecuritymanager\caribe.rsc

Detection

Detection for this malware was published on June 15th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2004-06-15_01

Detection for F-Secure Anti-Virus for Symbian series 60 has been published at 11:55 on June 15th, 2004 in database build number 7.

hinduonnet.com
.
Report TOU ViolationShare This Post
 Public ReplyPrvt ReplyMark as Last ReadFilePrevious 10Next 10PreviousNext  

HomeMailHotSubjectMarksPeopleMarksKeepersSettings
Terms Of UseContact UsCopyright/IP PolicyPrivacy PolicyAbout UsFAQAdvertise on SI
© 2025 Knight Sac Media.  Data provided by Twelve Data, Alpha Vantage, and CityFALCON News