BE AWARE of the Symbian OS Virus - Caribe.sis/Cabir.sis

[dairyman]

---

SymbOS.Cabir
Discovered on: June 14, 2004
Last Updated on: January 10, 2005 12:53:23 PM







SymbOS.Cabir is a proof-of-concept worm that replicates on Series 60 phones.

This worm repeatedly sends itself to the first Bluetooth-enabled device that it can find, regardless of the type of device. For example, even a Bluetooth-enabled printer will be attacked if it is within range.

The worm spreads as a .SIS file, which is installed into the APPS directory. There is no payload, apart from the vastly shortened battery life caused by the constant scanning for Bluetooth-enabled devices.


Also Known As: EPOC.Cabir, Worm.Symbian.Cabir.a [Kaspersky], Cabir [F-Secure], EPOC/Cabir.A [Computer Associates], Symb/Cabir-A [Sophos], EPOC_CABIR.A [Trend], Symbian/Cabir [McAfee


If you encounter this problem, pm me, will be glad to help..

It happened to my cellphone last week, sob

but it's okay now..

[dairyman]

Virus Characteristics:
-- Update 10 December 2004 --

Several new variants were discovered. They were distributed in two SIS files - "OIDI500.SIS" (9,871 bytes) and "Norton AntiVirus 2004 Professional.SIS" (99,413 bytes). The first package installs old SymbOS/Cabir.b variant. The second is a multi-dropper. It installs 4 different applications on a mobile device by dropping 3 SIS packages (that contain 3 virus variants, one of which is old .b variant) and several identical applications containing another new virus variant. Here are the names and sizes of dropped files:

b: COMCODER.SIS (15,092) CARIBE.APP (11,932)
c: IMAGES01.SIS,002.SIS (15,092) MYTITI.APP (11,932)
d: (YUAN).APP, FILE.APP, SYSTEMEX.APP, SMARTFIL.APP, FEXPLORE.APP, SMARTMOVE.APP (all identical - 11,932 bytes)
e: AUTOEXEC.SIS (15,092) NI_AI-.APP (11,932)


The system hook (FLO.MDL of 2,544 bytes in size) is used to hook into the startup sequence of the infected mobile device. Virus modifies "C:\SYSTEM\SYMBIANSECUREDATA" contents - for details please refer to the removal section.

--

This worm is a proof of concept. It uses Bluetooth communication to transmit itself in the form of a Symbian SIS package from one mobile phone to another. The worm will only work on 'Series60' mobile devices. Propagation was confirmed on Nokia 3650, 6600 and N-Gage.

There are two variants known with the following characteritics (size in bytes):

a: CARIBE.SIS (15,104) CARIBE.APP (11,944)
b: CARIBE.SIS (15,092), CARIBE.APP (11,932)

They have the same functionality and are only different because the shorter variant had a reference to the virus-writing group removed.

These worms do not pose any significant threat because:

Bluetooth communication is not usually enabled by default (set to "undiscoverable")
the range of transmission is rather short which would seriously inhibit propagation
standard Bluetooth pairing mechanism applies (so any non-paired devices need PIN for access)
CARIBE.SIS installation file is not signed so the dialog box appears when the worm is sent:

http://vil.nai.com/images/126245f.jpg

User is prompted to install the worm too:

http://vil.nai.com/images/126245b.jpg

Symptoms
Periodic Bluetooth activity (every 15-20 seconds) originating from an infected mobile device.

There is no malicious payload. The worm, however, seriously reduces battery life. It also monopolizes the phone's Bluetooth subsystem, denying access to legitimate transfers involving the infected device.

The SIS package installs the following files in SYSTEM\APPS\CARIBE:

CARIBE.APP (11,944 or 11,932 bytes)
CARIBE.RSC (44 bytes)
FLO.MDL (2,544 bytes)
When the worm activates it copies these files into a hidden directory SYSTEM\SYMBIANSECUREDATA\
CARIBESECURITYMANAGER\.

Two more files appear on the system:

SYSTEM\INSTALL\CARIBE.SIS (SIS installer metafile, 572 bytes)
SYSTEM\RECOGS\FLO.MDL (boot hook)
Worm runs immediately after installation (even if the boot hook does not work on a particular 'Series60' phone):

http://vil.nai.com/images/126245a.jpg

Method Of Infection
When the worm is installed it launches automatically. The worm also hooks into the system boot sequence (via "MIME Recognizer" mechanism) so that it activates when a mobile device is turned on and displays a message box:

http://vil.nai.com/images/126245g.jpg

The worm attempts to connect to RFCOMM port number 9 which corresponds to "OBEX Object Push" profile on Nokia 'Series60' devices. It does not use SDP protocol to verify the location of the service so it will fail to successfully transmit itself to Bluetooth devices from other manufacturers (even those capable of OBEX transfers).

If the transmission is accepted (this requires a human to press "OK"!) the CARIBE.SIS package will be installed on the target device and the worm will start running.

For the worm to operate the device must have AVKON.DLL (standard 'Series60' only library) installed. For other Symbian OSes the library name is EIKON.DLL and that is why the worm will only operate on 'Series60' devices.



Removal Instructions
Variants A-B




Clean up steps require that a third party file manager application capable of reading and writing to the system directories be installed on the phone.




Note that on Nokia 6600 (and possibly other Series 60 2.x devices), the boot hook does not work. On these devices the worm can be rendered inert simply by rebooting and uninstalling the application. The infected files will be left on the drive but they cannot be executed in such a state.



To remove the worm the following steps can be taken:



Using a file manager remove the boot hook C:\SYSTEM\RECOGS\FLO.MDL

Reboot the device

Use the "Manager" application to uninstall "Caribe" application

Using a file manager remove all files from C:\SYSTEM\SYMBIANSECUREDATA\
CARIBESECURITYMANAGER


Variants C-E




For variants C, D and E the folders to be cleaned within C:\SYSTEM\SYMBIANSECUREDATA\ are:



c: MYTITISECURITYMANAGER

d: [YUAN]SECURITYMANAGER

e: ni&ai-SECURITYMANAGER


Variants L-T




Removing these variants requires a third party file manager application capable of reading and writing to the system directories to be installed on the device.




Note that on the Nokia 6600 (and possibly other Series 60 2.x devices); the worm's boot hook does not work. On these devices, the worm can be rendered inert simply by rebooting and uninstalling the application. The infected files will be left on the drive, but they cannot be executed in such a state.




The following instructions apply to variants L through T. Where (variant specific) is mentioned, please refer to the filenames listed in the characteristics section specific to the variant that has infected your device.



Using a file manager, delete the (variant specific) .MDL file located in the following folder:

System\recogs



Reboot the device

Using a file manager, delete the following directory and all files

System\apps\(variant specific)




Variants
Name Type Sub Type Differences



Aliases
Name
Caribe.sis
EPOC.Cabir (NAV)
EPOC_CABIR (Trend)
Symbian.Cabir.gen
Symbian/Cabir.a
Symbian/Cabir.b
Symbian/Cabir.rsc
Worm.Symbian.Cabir (AVP)[img][/img]

[muzikfreakah]

I was having a haircut once just a day before valentines, sa crossroads, then suddenly I kept receiving this, sige lang ko reject. I was the only one left in the salon and the rest were employees. Bluetooth has short range so it could be impossible nga gikan sa gawas but there was no one inside who had bluetooth, I asked everyone because I wanted to tell that person he was senind out a virus.

Anyways, ther is a new virus now for the phone with no cure, something like "SKull of death" worse the cabir..

[dairyman]

Good for you Ry..

I was hit by this cabir thing so I post this for everybody to know..

I was in the office and this file prompt on my cell and ask if i want to install, so i did because i was thinking there was nobody using bluetooth near me, and the only thing im using bluetooth for was to transfer files/pics to my PDA.. At first I thought it was the battery that has a problem, but when i replace it with my spare one, it did the same, it drains all the battery power for just minutes!

[dairyman]

Anyways, ther is a new virus now for the phone with no cure, something like "SKull of death" worse the cabir..[/quote]

Ry, whats the characteristics of this?

[muzikfreakah]

not sure yet but there is said to be no cure

[Goldenfox]

not sure yet but there is said to be no cure

:idea:

Got infected? Click here.

[wAn_eyE]

Hahahah! I got hit by that CARIBE Virus too. ^_^ My 7610 and 7650 was infected. Kalagot. Nwy, thanks for the info. It really worked. Good thing my P910i is not a series60 phone.... surely ma.infected sad to. ^_^

[baboy]

https://www.istorya.net/forums/index.php?topic=43930.0