This application requires Javascript for optimal performance.

SymbOS/Cabir.M!worm - Released Feb 23, 2006 - Last Updated Aug 01, 2008

Alias/es

Worm.SymbOS.Cabir.m [KAV], Symb/Cabir-K [Sophos], SYMBOS_CABIR.M [Trend], SymbOS/Cabir.M worm [NOD32]

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Rapid battery power loss due to repeated propagation attempts via Bluetooth.

  • Presence of the following files:
    • C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS\SPOOKY.APP
    • C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS\SPOOKY.RSC
    • C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS\SPOOKY.MBM
    • C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS\INBOX.SIS
    • C:\SYSTEM\RECOGS\NAVRECOG.MDL
    • C:\SYSTEM\APPS\spooky\navrecog.mdl
    • C:\SYSTEM\APPS\spooky\spooky.mbm
    • C:\SYSTEM\APPS\spooky\spooky.app
    • C:\SYSTEM\APPS\spooky\spooky.rsc
  • The picture shown on Figure 1 below is displayed upon installation:



    • Figure 1: Post-install display (note: we blurred it on purpose)

    Detailed Analysis

    This variant of Cabir is similar to SymbOS/Cabir.A!worm.

    However, the installation paths below are specific to that variant:
    C:\SYSTEM\APPS\spooky
    C:\SYSTEM\SYMANTEC\NORTONANTIVIRUS
    Note the attempt to disguise as an Antivirus product.
    FInally, the picture spooky.mbm (Fig 1 above) is displayed upon successful installation, in order to tame infected users suspicion.

    Recommended Action

    Delete all the virus files with a file manager application - or run FortiClient Mobile Security.

    Reference: ID - 156351