Home>Network Worms>Internet Worms>

Worm.SymbOS.Cabir.k

Alert Level :	Medium
Discovered:	Apr 08 2005
Tag:	Internet   Worms
Discoverer and Source:	http://www.kaspersky.com/

Malware Behavior and Technical Description

This worm is programmed for mobile phones running Symbian OS.

The worm itself is an SIS file named caribe.sis. The file is 17596 bytes in size.

The file contains three other files:

• caribe.app: approximately 14440 bytes in size
• flo.mdl: approximately 2540 bytes in size
• caribe.rsc: 44 bytes in size

Installation

When launched, the worm causes the following message to be displayed on screen:

"Caribe Version 2 - ValleZ/29a"

It then installs itself to the following directories:

ñ:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
c:\system\apps\caribe\caribe.rsc

C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\SYSTEM\RECOGS\FLO.MDL

C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\INFO.SIS

The SYMBIANSECUREDATA directory which the worm creates is a hidden directory, and consequently the phone owner will not be able to see it.

Even if the worm files are deleted from the APPS directory, the worm will continue to infect the system.

Propagation

Each time the user switches on the infected telephone, the worm will scan the list of active BlueTooth connections. IT will then select the first connection listed as accessible, and will attempt to send the main file to the device. The recipient will see the following message:

Install Caribe?

If the recipient answers yes, then the infected file will be accepted, and the user will be asked if they wish to launch the file. (This depends on the model of the telephone - please see the description of Worm.SymbOS.Cabir.a for further details)

In addition to this, the worm, unlike previous versions of Cabir, is able to self replicate via MMS. It will automatically answer any incoming SMS or MMS with an MMS which includes an attached copy of the infected file.

Payload

The worm has no payload apart from being able to selfreplicate. However, infected phones may become unstable due to the presence of the worm in memory and its constant scanning of the list of active Bluetooth connections.

0

Removal Worm.SymbOS.Cabir.k instructions:

0

Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!

Great Anti-Virus Software : Kaspersky Internet Security 2009 Save 35% Buy Panda Global Protection 2009 and Panda Antiviru Download PandaLabs Reports Free AVG virus removel tools Hunting Down Spyware and Adware Adware and spyware, knowing the basics Adware Spyware Remover from CBAdvance Keeping Your Computer in Good Condition Using Free Spyware A Beware of Covert Online Spies Why the Need to Remove Adware and Spyware