SymbOS/Mabir.A!worm - Released Apr 07, 2005 - Last Updated Mar 13, 2007
|
Alias/esSymb/Mabir-A [Sophos], SymbOS.Mabir.A [NAV], SymbOS/Mabir.a!sis [McAfee], SymbOS/Mabir.A!worm, SYMBOS_MABIR.A [Trend], Worm.SymbOS.Cabir.k [KAV] |
Visible Symptoms
- When this threat is received by an applicable Series 60 phone running
Symbian OS version 6 [or higher], a prompt is displayed asking the recipient
if they want to install "Caribe", similar to this message
-
| Do
you want to install Caribe? |
| Yes |
No
|
- An infected phone may experience rapid battery power loss due to the
constant efforts by the virus to infect other phones via a Bluetooth
seek-and-connect outreach
- Creation of these files in the relative system path on an infected
phone -
\system\apps\caribe\caribe.app
\system\apps\caribe\caribe.rsc
\system\apps\caribe\flo.mdl
\system\recogs\flo.mdl
|
Detailed AnalysisThis virus resembles code of Comwar. This is a virus for Series 60 type
cell phones operating Symbian OS version 6 [or higher], such as Nokia
among other brands. The object of the virus is to spread to other phones
using Bluetooth as a transport avenue. The targets are selected from the
contact list of the infected phone and also sought via Bluetooth searching
for other Bluetooth-enabled devices (phones, printers, gaming devices
etc.) in the proximity of the infected phone.
Initially upon installing itself (after the recipient grants authorization
to receive and run the "application"), the virus will copy itself
as the following files -
\system\apps\caribe\caribe.app
\system\apps\caribe\caribe.rsc
\system\apps\caribe\flo.mdl
\system\recogs\flo.mdl |
14,440 bytes
44 bytes
2,540 bytes
2,540 bytes
|
virus
resource file
virus loader
virus loader |
The "recogs" folder commonly stores programs known as "recognizers".
The recognizer in this case is "flo.mdl".
Load at phone bootup
When the phone powers on, the loader runs Mabir as "caribe.app"
from its installed location. Mabir will read from the phone contact list
and attempt to send itself using SMS
Bluetooth distribution
The virus also has the ability to seek Bluetooth-enabled devices. Devices
found could receive numerous messages asking to install "Caribe".
The request is persistent and annoying. It is important to note that phones
that have not been configured to allow connection via this seek-and-find
method are not susceptible to this attack. |
Recommended Action
- Delete all modules related to this virus from the infected device
-
\system\apps\caribe\caribe.app
\system\apps\caribe\caribe.rsc
\system\apps\caribe\flo.mdl
\system\recogs\flo.mdl
\system\symbiansecuredata\caribesecuritymanager\info.sis
\system\symbiansecuredata\caribesecuritymanager\caribe.sis
\system\symbiansecuredata\caribesecuritymanager\caribe.app
\system\symbiansecuredata\caribesecuritymanager\caribe.rsc
|
