Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Worm.SymbOS.Cabir.k

Other versions: .a, .b, .c, .d

Aliases
Worm.SymbOS.Cabir.k (Kaspersky Lab) is also known as: SymbOS/Mabir.a!app (McAfee),   SymbOS.Mabir.A (Symantec),   Symb/Mabir-A (Sophos),   SYMBOS_MABIR.A (Trend Micro),   SymbOS/Mabir.A (H+BEDV),   SymbOS/Cabir.E (Grisoft),   SymbOS.Mabir.A (SOFTWIN),   SymbOS.Worm.Caribe.A (ClamAV),   SymbOS/Cabir.J.worm (Panda),   SymbOS/Cabir.K (Eset)
Detection added Apr 04 2005 08:13 GMT
Description added Apr 08 2005
Behavior Internet Worm
Technical details

This worm is programmed for mobile phones running Symbian OS.

The worm itself is an SIS file named caribe.sis. The file is 17596 bytes in size.

The file contains three other files:

  • caribe.app: approximately 14440 bytes in size
  • flo.mdl: approximately 2540 bytes in size
  • caribe.rsc: 44 bytes in size

Installation

When launched, the worm causes the following message to be displayed on screen:

"Caribe Version 2 - ValleZ/29a"

It then installs itself to the following directories:

ñ:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
c:\system\apps\caribe\caribe.rsc

C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\SYSTEM\RECOGS\FLO.MDL

C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\INFO.SIS

The SYMBIANSECUREDATA directory which the worm creates is a hidden directory, and consequently the phone owner will not be able to see it.

Even if the worm files are deleted from the APPS directory, the worm will continue to infect the system.

Propagation

Each time the user switches on the infected telephone, the worm will scan the list of active BlueTooth connections. IT will then select the first connection listed as accessible, and will attempt to send the main file to the device. The recipient will see the following message:

Install Caribe?

If the recipient answers yes, then the infected file will be accepted, and the user will be asked if they wish to launch the file. (This depends on the model of the telephone - please see the description of Worm.SymbOS.Cabir.a for further details)

In addition to this, the worm, unlike previous versions of Cabir, is able to self replicate via MMS. It will automatically answer any incoming SMS or MMS with an MMS which includes an attached copy of the infected file.

Payload

The worm has no payload apart from being able to selfreplicate. However, infected phones may become unstable due to the presence of the worm in memory and its constant scanning of the list of active Bluetooth connections.

 		 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com