Central Colleges of the Philippines - ECE Batch2005
Welcome to the unofficial site of ECE Department. Feel free to post anything, but you have to be a member first. Send Jordan (flyerz_21@yahoo.com) your email address..Thursday, August 19, 2004
Worm.SymbOS.Cabir.a
Cabir is the first network worm capable of spreading via Bluetooth; it infects mobile phones which run Symbian OS.
A wide range of phones from a number of manufacturers use this technology. It is clear that Nokia 3650, 7650 and N-Gage phones can all be infected by Cabir. However, any handset running Symbian OS is potentially vulnerable to infection.
The list below shows handsets running this operating system. The list is taken from the Symbian site.
Handsets
Already on the market
To be released in the near future
FOMA F2051
FOMA F2102V
FOMA F900i
Motorola A920
Motorola A925
Nokia 3650/3600
Nokia 3660/3620
Nokia 6600
Nokia 7610
Nokia 7650
Nokia 9210 Communicators
Nokia 9290 Communicator
Nokia N-Gage
Nokia N-Gage QD
Sendo X
Siemens SX1
Sony Ericsson P800
Sony Ericsson P900
BenQ P30
FOMA F900iT
Motorola A1000
Nokia 6260
Nokia 6620
Nokia 6630
Nokia 7700
Nokia 9500
Panasonic X700
Samsung SGH-D710
Smartphones and communicators
Ericsson R380 World Smartphone
Ericsson R380e Smartphone
Ericsson R380sc Smartphone
Psion 618C and 618S
Psion Revo and Revo Plus
Psion Series 5mx
Psion Series 7 and netBook
There are currently two versions of this worm. They are identical, except that one version, when displaying a Window Alert text, will include the text line VZ/29a.
The worm itself is an SIS format file, called caribe.sis, of 15092 bytes in size (the second version is 15104 bytes in size)
This file contains three objects:
caribe.app: 11932 bytes/ 11944 bytes in size
flo.mdl: 2544 bytes in size
caribe.rsc: 44 bytes in size
Installation
When launched, the worm displays a message on the screen: either 'Caribe' or 'Caribe - VZ/29a'.
It then installs itself to the following directories:
Ó:\system\apps\caribe\caribe.app
Ó:\system\apps\caribe\flo.mdl
Ó:\system\apps\caribe\caribe.rsc
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\SYSTEM\RECOGS\FLO.MDL
The directory SYMBIANSECUREDATA which the worm creates is hidden and cannot be seen by the user of the infected telephone.
Even if the worm file is deleted from the APPS directory, the worm will continue to be active in the system.
Propagation
Each time the infected telephone is switched on, the worm scans the list of active Bluetooth connections. The worm will select the first active connection shown and will attempt to send its main file, caribe.sis, to this device. The device which receives this file will display the following information:
If receipt of the infected file is confirmed, the user will be asked if they wish to lauch the file (the message displayed depends on the model of telephone):
Other
The worm appears not to have any payload apart from propagating. However, the presence of the worm in memory, and the worm's scanning for active Bluetooth devices, may cause infected telephones to function in an unstable manner.
Removal
Kaspersky Labs has developed a utility to remove Cabir.a from infected handsets.
The utility will detect and delete the worm from Nokia 3650 and 6600, and Siemens SX1 handsets. It is also designed to work on Nokia N-Gage and Sony Ericsson P900 handsets, but it has not been tested on these handsets.
The utility can be found on the WAP site wap.kaspersky.com. It can be downloaded either directly from the WAP site or via the Internet by following the link wap.kaspersky.com/downloads/decabir-1.0.sis
How to use the utility:
upload the installation file, decabir.sis, to the handset, and launch it.
choose the Decabir icon in the main menu
if the handset is not infected, the message 'Device is clean' will be displayed.
if the handset is infected, the message 'Cabir has been removed. Please reboot' will be displayed. You should now switch your handset off and on again.
This info is from:
http://www.viruslist.com/eng/viruslist.html?id=1689517
A wide range of phones from a number of manufacturers use this technology. It is clear that Nokia 3650, 7650 and N-Gage phones can all be infected by Cabir. However, any handset running Symbian OS is potentially vulnerable to infection.
The list below shows handsets running this operating system. The list is taken from the Symbian site.
Handsets
Already on the market
To be released in the near future
FOMA F2051
FOMA F2102V
FOMA F900i
Motorola A920
Motorola A925
Nokia 3650/3600
Nokia 3660/3620
Nokia 6600
Nokia 7610
Nokia 7650
Nokia 9210 Communicators
Nokia 9290 Communicator
Nokia N-Gage
Nokia N-Gage QD
Sendo X
Siemens SX1
Sony Ericsson P800
Sony Ericsson P900
BenQ P30
FOMA F900iT
Motorola A1000
Nokia 6260
Nokia 6620
Nokia 6630
Nokia 7700
Nokia 9500
Panasonic X700
Samsung SGH-D710
Smartphones and communicators
Ericsson R380 World Smartphone
Ericsson R380e Smartphone
Ericsson R380sc Smartphone
Psion 618C and 618S
Psion Revo and Revo Plus
Psion Series 5mx
Psion Series 7 and netBook
There are currently two versions of this worm. They are identical, except that one version, when displaying a Window Alert text, will include the text line VZ/29a.
The worm itself is an SIS format file, called caribe.sis, of 15092 bytes in size (the second version is 15104 bytes in size)
This file contains three objects:
caribe.app: 11932 bytes/ 11944 bytes in size
flo.mdl: 2544 bytes in size
caribe.rsc: 44 bytes in size
Installation
When launched, the worm displays a message on the screen: either 'Caribe' or 'Caribe - VZ/29a'.
It then installs itself to the following directories:
Ó:\system\apps\caribe\caribe.app
Ó:\system\apps\caribe\flo.mdl
Ó:\system\apps\caribe\caribe.rsc
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\SYSTEM\RECOGS\FLO.MDL
The directory SYMBIANSECUREDATA which the worm creates is hidden and cannot be seen by the user of the infected telephone.
Even if the worm file is deleted from the APPS directory, the worm will continue to be active in the system.
Propagation
Each time the infected telephone is switched on, the worm scans the list of active Bluetooth connections. The worm will select the first active connection shown and will attempt to send its main file, caribe.sis, to this device. The device which receives this file will display the following information:
If receipt of the infected file is confirmed, the user will be asked if they wish to lauch the file (the message displayed depends on the model of telephone):
Other
The worm appears not to have any payload apart from propagating. However, the presence of the worm in memory, and the worm's scanning for active Bluetooth devices, may cause infected telephones to function in an unstable manner.
Removal
Kaspersky Labs has developed a utility to remove Cabir.a from infected handsets.
The utility will detect and delete the worm from Nokia 3650 and 6600, and Siemens SX1 handsets. It is also designed to work on Nokia N-Gage and Sony Ericsson P900 handsets, but it has not been tested on these handsets.
The utility can be found on the WAP site wap.kaspersky.com. It can be downloaded either directly from the WAP site or via the Internet by following the link wap.kaspersky.com/downloads/decabir-1.0.sis
How to use the utility:
upload the installation file, decabir.sis, to the handset, and launch it.
choose the Decabir icon in the main menu
if the handset is not infected, the message 'Device is clean' will be displayed.
if the handset is infected, the message 'Cabir has been removed. Please reboot' will be displayed. You should now switch your handset off and on again.
This info is from:
http://www.viruslist.com/eng/viruslist.html?id=1689517
