This application requires Javascript for optimal performance.

SymbOS/Cabir.E465!worm - Released Mar 30, 2009 - Last Updated Jul 07, 2009

Alias/es

SymbOS.Cabir.X

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Presence of the file c:\system\apps\leslie\leslie.app.

    • Detailed Analysis

    This is a variant of the Cabir worm, whose sole aim is to propagate from device to device via Bluetooth.



    Technical details


  • The malware refers to itself as Leslie during installation, as shown in Figure 1.


    Figure 1: Installation prompt.

  • Once installed, it appears in the menu as indicated in Figure 2.


    • Figure 2: Menu icon.

  • It drops the following files:
    • c:\system\apps\leslie\leslie.app
    • c:\system\apps\leslie\leslie.rsc
    • c:\system\apps\leslie\rebecca.mdl
  • To automatically start itself, the malware drops the file c:\system\recogs\rebecca.mdl.

  • Based on its code the malware attempts to send itself via Bluetooth, as shown in Figure 3.


    • Figure 3: Bluetooth infection.

    Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 807377