NAME: Cabir.Dropper
ALIAS: SymbOS/Cabir.Dropper,Norton AntiVirus 2004 Professional.sis

Summary

Cabir.Dropper is Symbian installation file that will install Cabir.B, Cabir.C and Cabir.D into the device and disables the Bluetooth control application. The original version of Cabir.Dropper is named Norton AntiVirus 2004 Professional.sis

The Cabir.Dropper installs different Cabir variants into several places in the device file system. Some of the installed Cabirs replace common third party applications so that if user has one of those applications installed into system it gets replaced with Cabir.D and it's Icon in the menu will go blank.



If user clicks on one of the replaced icons in the menu, the Cabir.D that has replaced that application will start and try to spread to other devices. If Cabir.D starts it will spread as Cabir.D ([YUAN].SIS) without other Cabir variants or Cabir.Dropper.

The Cabir.Dropper will also install autostart component that tries to automatically start Cabir.D upon system reboot, but fails as the autostart component points into directory that is not installed on the device.

Installation to system

When Cabir.Dropper is installed into the system it will install files into following directories.

\images\
\sounds\digital
\system\apps
\system\install
\system\recogs
\system\apps\btui
\system\apps\fexplorer
\system\apps\file
\system\apps\freakbtui
\system\apps\smartfileman
\system\apps\smartmovie
\system\apps\systemexplorer
\system\apps\[yuan]


Some of the Cabir variants are installed into default installation directories of common third party applications. The applications are FExplorer, SmartFileMan, Smartmovie and SystemExplorer.

The Cabir.Dropper will also install non-functional version of the Bluetooth control application, so that user cannot change bluetooth settings without disinfecting the device first.

Spreading in

Norton AntiVirus 2004 Professional.sis

Payload

Installs Cabir.B, Cabir.C and Cabir.D in the system and disables bluetooth control application.

NAME: Cabir.B
ALIAS: SymbOS/Cabir.B, EPOC/Cabir.B, Worm.Symbian.Cabir.B, Caribe virus

Summary

Cabir.B is a minor variant of Cabir.A the only significant difference is that the Cabir.B displays different text on the start dialog when worm starts the first time or phone reboots.

Cabir.A displays text "Caribe-VZ/29a" while Cabir.B displays text that contains just "Caribe".

There is also repacked version of Cabir.B that is packed into SIS file, which installs the worm into different directory and shows text popup at SIS install. But this is not a new variant as worm executables are fully identical to original Cabir.B and all differences are due to settings in the repacked SIS file.

Alternatively, you can disinfect the system manually by installing a file manager application and manually deleting these files:

c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
c:\system\recogs\flo.mdl
c:\system\symbiansecuredata\caribesecuritymanager\ caribe.app
c:\system\symbiansecuredata\caribesecuritymanager\ caribe.rsc

NAME: Cabir
ALIAS: SymbOS/Cabir.A, EPOC/Cabir.A, Worm.Symbian.Cabir.a, Caribe virus

Summary

Cabir is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the Caribe.sis file the worm activates and starts looking for new devices to infect over bluetooth.

When Cabir worm finds another bluetooth device it willstart sending infected SIS files to it, and lock to that phone so that it won't look other phones even when the target moves out of range.

Please note that Cabir worm can reach only mobile phones that support bluetooth, and are in discoverable mode.



Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

When user clicks on the caribe.sis in phone messaging inbox the phone will display a warning dialog



If user clicks yes the phone will ask normal installation question



If user clicks yes the Cabir worm will activate and show a dialog that contains the name that virus author wants to give to the worm and the authors initialias and group initial 29A. Although it seems that in some phone models, for example Nokia 6600 this dialog is not shown

Alternatively, you can disinfect the system manually by installing a file manager application and manually deleting these files:

c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
c:\system\recogs\flo.mdl
c:\system\symbiansecuredata\caribesecuritymanager\ caribe.app
c:\system\symbiansecuredata\caribesecuritymanager\ caribe.rsc

Detailed Description

Replication

Cabir replicates over bluetooth in caribe.sis file that contains the worm main executable caribe.app, system recognizer flo.mdl and resource file caribe.rsc. The SIS file contains autostart settings that will automatically execute caribe.app after the SIS file is being installed.

The caribe.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.

When the Cabir worm is activated it will start looking for other bluetooth devices, and starts sending infected caribe.sis files to the first device it finds. The replication routine in Cabir contains a bug that causes it to lock to first device it finds and it won't look for other devices.

This means that Cabir is capable of sending infected files to only one other device per activation. So Cabir will try to infect one other device when it is activated the first time, and then one more each time when the phone is rebooted.

Also in our tests we found that the newly infected phone will first look for the phone that sent the infected file. So Cabir is capable of spreading widely only in cases where the phone that sent the infected file is out of range before user activates the Cabir in a new phone.

Which means, that while Cabir is capable of spreading in the wild, it would spread quite slowly and would not cause large epidemic.

One curious fact is that in series 60 phones the bluetooth functionality is independent from the GSM side, and if phone is rebooted the cabir will try to spread even if user doesn't enter PIN code.

Infection

When the caribe.sis file is installed the installer will copy the worm executables into following locations:
c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl

When the caribe.app is executed it copies the following files:
flo.mdl to c:\system\recogs
caribe.app to c:\system\symbiansecuredata\caribesecuritymanager\
caribe.rsc to c:\system\symbiansecuredata\caribesecuritymanager\

This is most likely done in case user installs the application to memory card.

Then the worm will recreate the caribe.sis file from worm component files and data blocks that are in caribe.app.

After recreating the caribe.sis file the worm starts to look for all visible bluetooth devices and send the SIS file to them.

NAME: Mquito
ALIAS: SymbOS/Mquito, Trojan.Mquito, SymbOS/QDial26

Summary

Trojan.Mquito is ******* version of game that runs on Symbian Series 60 devices. The game contains functionality that will send SMS message to certain number each time when the game is started.

The Trojan.Mquito is not a trojanized version of the game, the hidden SMS functionality was put in the game from the beginning by the original manufacturer.

This functionality was supposed to be some kind of a copy-protecting technique, but it didn't work right and the whole functionality backfired.

According to the manufacturer, the premium rate contract for the receiving phone numbers has been terminated, so although old versions of the game still send hidden SMS messages, it only costs the nominal fee of sending the message itself.

Current versions of this game no longer have this hidden functionality, but "*******" versions of Mosquitos still float in P2P network - and they still send these messages.

The SMS sending version of the game can still be identified by the message it shows when the game starts.


The original version will display following text, which varies a bit depending on the region.

UK VERSION This version is for the UK market only and does not work
outside the United Kingdom. Pirate copies are illegal and offenders
will be prosecuted.

The trojan version will display following modified text:

FREE VERSION This version has been ******* by SODDOM BIN LOADER
No rights reserved. Pirate copies are illegal and offenders will
have lotz of phun!!!

The difference in message has been done by modifying strings inside the game binary. The difference in the messages is the only difference between ******* and original version that we have been able to determine.

Needless to say that the 'trojan' version of the game can be found only from pirated sources. So installing such program is not recommended in the first place, as any copy that contains the SMS routine is an illegal copy.

When the Mquito is run it will show the dialog containing message from *****er and send SMS message to premium rate number. After sending the message the game will start normally.

The SMS sending routine is built into the binary by game developers, not inserted by *****ers

The message is sent only when the game starts, and the sending routine will not be called before the Mquito is started second time.

Good Work man