SymbOS/Cabir.M!worm

Alias/esWorm.SymbOS.Cabir.m [KAV], Symb/Cabir-K [Sophos], SYMBOS_CABIR.M [Trend], SymbOS/Cabir.M worm [NOD32]
Release DateFeb 23, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

  • Rapid battery power loss due to repeated propagation attempts via Bluetooth.

  • Presence of the following files:
    • C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS\SPOOKY.APP
    • C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS\SPOOKY.RSC
    • C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS\SPOOKY.MBM
    • C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS\INBOX.SIS
    • C:\SYSTEM\RECOGS\NAVRECOG.MDL
    • C:\SYSTEM\APPS\spooky\navrecog.mdl
    • C:\SYSTEM\APPS\spooky\spooky.mbm
    • C:\SYSTEM\APPS\spooky\spooky.app
    • C:\SYSTEM\APPS\spooky\spooky.rsc
  • The picture shown on Figure 1 below is displayed upon installation:



    • Figure 1: Post-install display (note: we blurred it on purpose)

    Detailed Analysis

    This variant of Cabir is similar to SymbOS/Cabir.A!worm.

    However, the installation paths below are specific to that variant:
    C:\SYSTEM\APPS\spooky
    C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS
    Note the attempt to disguise as an Antivirus product.
    FInally, the picture spooky.mbm (Fig 1 above) is displayed upon successful installation, in order to tame infected users suspicion.
    Description Last Updated Date: Aug 01, 2008
    Reference: ID - 156351