Aliases

Worm.SymbOS.Cabir.a (Kaspersky Lab) is also known as: SymbOS/Cabir.b (McAfee),   SymbOS.Cabir.B (Symantec),   Symb/Cabir-C (Sophos),   SymbOS_CABIR.A (Trend Micro),   Worm/Symbi.Cabir.A (H+BEDV),   SymbOS.Worm.Caribe.A (SOFTWIN),   SymbOS/Cabir.A.worm (Panda)

Description added	Jun 15 2004
Behavior	Internet Worm

Technical details

Cabir is the first network worm capable of spreading via Bluetooth; it infects mobile phones which run Symbian OS.

A wide range of phones from a number of manufacturers use this technology. It is clear that Nokia 3650, 7650 and N-Gage phones can all be infected by Cabir. However, any handset running Symbian OS is potentially vulnerable to infection.

The list below shows handsets running this operating system. The list is taken from the Symbian site.

FOMA F2051
FOMA F2102V
FOMA F900i
Nokia 3650/3600
Nokia 3660/3620
Nokia 6600
Nokia 7610
Nokia 7650
Nokia N-Gage
Nokia N-Gage QD
Sendo X
Siemens SX1

BenQ P30
FOMA F900iT 
Motorola A1000
Nokia 6260 
Nokia 6620
Nokia 6630 
Panasonic X700
Samsung SGH-D710

Ericsson R380 World Smartphone
Ericsson R380e Smartphone
Ericsson R380sc Smartphone 

There are currently two versions of this worm. They are identical, except that one version, when displaying a Window Alert text, will include the text line VZ/29a.

The worm itself is an SIS format file, called caribe.sis, of 15092 bytes in size (the second version is 15104 bytes in size)

This file contains three objects:

• caribe.app: 11932 bytes/ 11944 bytes in size
• flo.mdl: 2544 bytes in size
• caribe.rsc: 44 bytes in size

Installation

When launched, the worm displays a message on the screen: either 'Caribe' or 'Caribe - VZ/29a'.

It then installs itself to the following directories:

Ó:\system\apps\caribe\caribe.app
Ó:\system\apps\caribe\flo.mdl
Ó:\system\apps\caribe\caribe.rsc 

C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\SYSTEM\RECOGS\FLO.MDL

The directory SYMBIANSECUREDATA which the worm creates is hidden and cannot be seen by the user of the infected telephone.

Even if the worm file is deleted from the APPS directory, the worm will continue to be active in the system.

Propagation

Each time the infected telephone is switched on, the worm scans the list of active Bluetooth connections. The worm will select the first active connection shown and will attempt to send its main file, caribe.sis, to this device. The device which receives this file will display the following information:

If receipt of the infected file is confirmed, the user will be asked if they wish to lauch the file (the message displayed depends on the model of telephone):

Other

The worm appears not to have any payload apart from propagating. However, the presence of the worm in memory, and the worm's scanning for active Bluetooth devices, may cause infected telephones to function in an unstable manner.

Removal

Kaspersky Labs has developed a utility to remove Cabir.a from infected handsets.

The utility will detect and delete the worm from Nokia 3650 and 6600, and Siemens SX1 handsets. It is also designed to work on Nokia N-Gage and Sony Ericsson P900 handsets, but it has not been tested on these handsets.

The utility can be found on the WAP site wap.kaspersky.com. It can be downloaded either directly from the WAP site or via the Internet by following the link www.kaspersky.com/downloads/wap/downloads/decabir.sis.

How to use the utility:

• upload the installation file, decabir.sis, to the handset, and launch it.
• choose the Decabir icon in the main menu
• if the handset is not infected, the message 'Device is clean' will be displayed.
• if the handset is infected, the message 'Cabir has been removed. Please reboot' will be displayed. You should now switch your handset off and on again.