__________________________________________
Virus Name Risk Assessment
Symbian/Cabir Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 06/14/2004
Origin: Unknown
Length: 14-15kb
Type: Virus
SubType: Worm
Minimum DAT: 4367 (06/16/2004)
Updated DAT: 4367 (06/16/2004)
Minimum Engine: 4.2.40
Description Added: 06/15/2004
Description Modified: 06/15/2004 11:17 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This worm is a proof of concept. It uses Bluetooth communication to transmit itself in the form of a Symbian SIS package.
This worm should work on any Series 60 phone (Siemens, Samsung, Nokia, Sendo, Panasonic) that has Symbian OS 6.1 or higher. Propagation was confirmed on Nokia 6600.
There are two variants known with the following characteritics (size in bytes):
a: CARIBE.SIS (15,104) CARIBE.APP (11,944)
b: CARIBE.SIS (15,092), CARIBE.APP (11,932)
They have the same functionality and are only different because the shorter variant had a reference to the virus-writing group removed.
These worms are not posing any significant threat because:
Bluetooth communication is not usually enabled by default
the range of transmission is rather short which would seriously inhibit propagation
accepting Bluetooth transmission requires manual confirmation:
Top of Page
Symptoms
Periodic Bluetooth activity (every 15-20 seconds)originating from an infected mobile device.
There is no malicious payload (except that the worm activity seriously reduces battery life).
The worm installs the following files in SYSTEM\APPS\CARIBE and SYSTEM\SYMBIANSECUREDATA\
CARIBESECURITYMANAGER\ folders:
CARIBE.APP
CARIBE.RSC
CARIBE\FLO.MDL
It also leaves:
SYSTEM\INSTALL\CARIBE.SIS
SYSTEM\RECOGS\FLO.MDL
Using file manager the application can be seen when on the memory card:
Top of Page
Method Of Infection
When installed into phone memory (not memory card) the worm hooks into the system startup (via "Recognizer" mechanism) and always activates when a mobile device is turned on.
The worm attempts to transmit itself to any Bluetooth-enabled device within operating range. If there are several devices the worm will use the first remote device available. If the transmission is accepted (this requires a human to press "OK"!) the CARIBE.SIS package will be installed on the target device and the worm will start running.
The target device must have AVKON.LIB (Series 60 only library) installed.
Top of Page
Removal Instructions
If the worm is installed on to a memory card:
Remove the memory card
Reboot the device and insert the memory card
Delete directories and files mentioned above from the memory card using app manager
If the worm is installed on to an internal drive, a Symbian file manager will be required for complete removal of the worm:
Use the program manager to uninstall the worm
Reboot the device
Using file manager remove the directory and files in C:\SYSTEM\SYMBIANSECUREDATA\
CARIBESECURITYMANAGER
Delete C:\SYSTEM\RECOGS\FLO.MDL
Top of Page
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
EPOC.Cabir (NAV)
Worm.Symbian.Cabir (AVP
saludos
ms, 15-06-2004
msc hotline sat Virus Research Engineer