Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Worm.SymbOS.Cabir.b

Other versions: .a, .c, .d, .k

Aliases
Worm.SymbOS.Cabir.b (Kaspersky Lab) is also known as: SymbOS.Cabir.B (Symantec),   SymbOS_CABIR.A (Trend Micro),   SymbOS.Worm.Caribe.A (SOFTWIN)
Detection added Nov 20 2004
Description added May 16 2007
Behavior Internet Worm

Technical details

This malicious program is a womr which runs under Symbian. The worm itself is a SIS file. The file is 10,000 bytes in size.

The file spreads via Bluetooth.

Payload

In order for a device to become infected, the user has to accept the malicious file twice:

When installing, the malicious program will display the following two messages:

During installation, the worm will drop the following files to the phone:

  • C:\system\apps\OIDI500\OIDI500.aif — is an executable EPOC file, and is 11932 bytes in size. This is the main worm file.
  • C:\system\apps\OIDI500\OIDI500.app — is a file containing program resources.
  • C:\system\apps\OIDI500\OIDI500.mdl — ensures that the malicous program will be automatically started if the device is rebooted.
  • C:\system\apps\OIDI500\OIDI500.rsc — is the application's icon file.

In order to function, the worm uses functions from the following system libraries:

AVKON.DLL
BAFL.DLL
BLUETOOTH.DLL
CONE.DLL
EFSRV.DLL
EIKCORE.DLL
ESOCK.DLL
EUSER.DLL
IROBEX.DLL

Once the malicious program has been installed, a record will appear in the device application manager indicating that a program called 3d_OIDI500 has been installed:

Once the device has been infected, a file called C\:SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMA\CARIBE.SIS. It is this file which will be transmitted in order to infect other devices.

The worm then scans for accessible devices which have Bluetooth enabled. The worm will choose the first accessible device in the list and attempt to send caribe.sis to this device.

The worm has no malicious payload apart from its propagation routine. However, the worm's presence in memory and its attempts to scan for accessible Bluetooth devices may cause an infected device to become unstable.

Removal instructions

In order to delete this malicious program, install a file manager application which provides the option to view hidden and system files. Then delete the files listed below:

C:\system\apps\OIDI500\OIDI500.aif
C:\system\apps\OIDI500\OIDI500.app
C:\system\apps\OIDI500\OIDI500.mdl
C:\system\apps\OIDI500\OIDI500.rsc
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMA\CARIBE.SIS

Once the files have been deleted, reboot the phone.

 		 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com