Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Worm.SymbOS.Cabir.c

Other versions: .a, .b, .d, .k

Aliases
Worm.SymbOS.Cabir.c (Kaspersky Lab) is also known as: SymbOS.Cabir.B (Symantec),   Symb/Cabir-B (Sophos),   SymbOS_CABIR.A (Trend Micro),   SymbOS.Worm.Cabir.G (SOFTWIN),   SymbOS/Cabir.C.worm (Panda)
Detection added Dec 01 2004
Description added May 29 2007
Behavior Internet Worm

Technical details

This malicious program is a worm which runs under Symbian. The worm itself is a SIS file. The file is 13,200 bytes in size.

It spreads via Bluetooth.

Payload

In order for a device to become infected, the user has to accept the malicious file twice:

When the malicious program is being installed, two messages will be displayed on the device's screen:

During installation, the program will drop the following files to the smartphone:

  • C:\SYSTEM\apps\caribe\CARIBE.APP — APP is an executable EPOC file, and is 11,932 bytes in size. This is the main worm file.
  • C:\SYSTEM\apps\caribe\CARIBE.RSC — is the worm's resource file.
  • C:\SYSTEM\apps\caribe\FLO.MDL — ensures that the malicous program will be automatically started if the device is rebooted.
  • C:\SYSTEM\apps\CamTimer\camtimer.app
    C:\SYSTEM\apps\CamTimer\camtimer.rsc

An icon for "CamTimer" will appear in the smartphone's menu, and a record that a program called "CAMTIMER" will appear in the smartphone's Application Manager.

In order to function, the worm uses functions from the following system libraries:

BAFL.DLL
BLUETOOTH.DLL
CONE.DLL
EFSRV.DLL
EIKCORE.DLL
ESOCK.DLL
EUSER.DLL
IROBEX.DLL

Once the device has been infected, a file called C\:SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMA\CARIBE.SIS is created. It is this file which will be transmitted in order to infect other devices.

The worm then scans for accessible devices which have Bluetooth enabled. The worm will choose the first accessible device in the list and attempt to send "caribe.sis" to this device.

Apart from its propagation routine, this worm has no malicious payload. However, this worm can cause a device to become unstable due to the presence of the worm file in memory, and the constant scanning for accessible Bluetooth devices.

Removal instructions

In order to delete this malicious program, install a file manager application which provides the option to view hidden and system files. Then delete the files listed below:

C:\SYSTEM\apps\caribe\CARIBE.APP
C:\SYSTEM\apps\caribe\CARIBE.RSC
C:\SYSTEM\apps\caribe\FLO.MDL
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\apps\CamTimer\camtimer.app
C:\SYSTEM\apps\CamTimer\camtimer.rsc

Once you have done this, reboot the device.

 		 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com