Visible Symptoms
- Installation of a module "caribe.app"
onto the compromised phone from the installation package
"caribe.sis"
- Receiving an application from an infected device
is a manual process - a confirmation is required
Detailed Analysis
Specifics
This proof-of-concept virus is coded for Series
60 phones (such as Nokia 3620/3660/6600/6620 and others) using Bluetooth technology. It is coded for
Symbian OS and it's design is to load at phone boot
up and send itself to available devices (using Bluetooth). By
sending itself as a Symbian installation file (as CARIBE.SIS)
the receiving phone will recognize it as an installable
package.
Before the virus can be successful at infecting a phone,
the virus must be first confirmed by the recipient;
the recipient must accept the virus.
Loading At Nokia Phone Startup
When the virus is received and accepted, the phone may
then begin installing the installable package file.
It will extract to three files -
| File |
Install Location |
| caribe.app |
\system\apps\caribe\caribe.app |
| flo.mdl |
\system\apps\caribe\flo.mdl |
| caribe.rsc |
\system\apps\caribe\caribe.rsc |
The virus implements "EZBoot" - a method
of initiating applications during phone boot process.
The virus may also copy its files to these locations
-
\system\symbiansecuredata\caribesecuritymanager\caribe.app
\system\symbiansecuredata\caribesecuritymanager\caribe.rsc
\system\symbiansecuredata\caribesecuritymanager\caribe.sis
\system\recogs\flo.mdl
UI Library Implementation
The virus uses libraries from the common Symbian OS
UI in order to function. These libraries include -
APPARC.DLL, APGRFX.DLL - used for Application architecture
APMIME.DLL - used as a MIME recognizer
BAFL.DLL - application utility library
BLUETOOTH.DLL - Bluetooth stack and communications
CONE.DLL, EIKCORE.DLL - user interface control and framework
EFSRV.DLL - used to serve files
EUSER.DLL - Kernel and user library
ESOCK.DLL - sockets and networking
IROBEX.DLL - (Infrared) IrDA stack
|