Help - Search - Member List - Calendar
Full Version: Know Your CellularPhone Virus
Forum Index > OTHER DISCUSSIONS > General Interest
PatrickCroninYouthOrganization
Cabir.A

Cabir is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the Caribe.sis file the worm activates and starts looking for new devices to infect over bluetooth.

When Cabir worm finds another bluetooth device it willstart sending infected SIS files to it, and lock to that phone so that it won't look other phones even when the target moves out of range.

Please note that Cabir worm can reach only mobile phones that support bluetooth, and are in discoverable mode.

Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.


Cabir.B

Cabir.B is a minor variant of Cabir.A the only significant difference is that the Cabir.B displays different text on the start dialog when worm starts the first time or phone reboots.

Cabir.A displays text "Caribe-VZ/29a" while Cabir.B displays text that contains just "Caribe".

There is also repacked version of Cabir.B that is packed into SIS file, which installs the worm into different directory and shows text popup at SIS install. But this is not a new variant as worm executables are fully identical to original Cabir.B and all differences are due to settings in the repacked SIS file.


Cabir.C


Cabir.C is a minor variant of Cabir.B the only significant differences are that the Cabir.C displays different text on the start dialog when worm starts and that the Cabir.C spreads as MYTITI.SIS instead of Cabir.SIS.

Cabir.C displays text "Mytiti" while Cabir.B displays text that contains just "Caribe".


Cabir.D

Cabir.D is a minor variant of Cabir.B the only significant differences are that the Cabir.D displays different text on the start dialog when worm starts and that the Cabir.D spreads as [YUAN].SIS instead of Cabir.SIS.

Cabir.D displays text "[YUAN]" while Cabir.B displays text that contains just "Caribe".



Cabir.E

Cabir.E is a minor variant of Cabir.B the only significant differences are that the Cabir.E displays different text on the start dialog when worm starts and that the Cabir.E spreads as Ni&Ai-.SIS instead of Cabir.SIS.

Cabir.E displays text "Ni&Ai-" while Cabir.B displays text that contains just "Caribe".


Cabir.Dropper


Cabir.Dropper is Symbian installation file that will install Cabir.B, Cabir.C and Cabir.D into the device and disables the Bluetooth control application. The original version of Cabir.Dropper is named Norton AntiVirus 2004 Professional.sis (WATCH OUT FOR THIS GUYZ!)

The Cabir.Dropper installs different Cabir variants into several places in the device file system. Some of the installed Cabirs replace common third party applications so that if user has one of those applications installed into system it gets replaced with Cabir.D and it's Icon in the menu will go blank.

If user clicks on one of the replaced icons in the menu, the Cabir.D that has replaced that application will start and try to spread to other devices. If Cabir.D starts it will spread as Cabir.D ([YUAN].SIS) without other Cabir variants or Cabir.Dropper.

The Cabir.Dropper will also install autostart component that tries to automatically start Cabir.D upon system reboot, but fails as the autostart component points into directory that is not installed on the device.



Skulls.A

Skulls is a malicious SIS file trojan that will replace the system applications with non-functional versions, so that all but the phone functionality will be disabled.

The Skulls SIS file is named "Extended theme.SIS", it claims to be theme manager for Nokia 7610 smart phone, written by "Tee-222".

If Skulls is installed it will cause all application icons to be replaced with picture of skull and cross bones, and the icons don't refer to the actual applications any more so none of the Phone System applications will be able to start.

This basically means that if Skulls is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function.

If you have installed Skulls, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.



Skulls.B

Skulls.B is a variant of SymbOS/Skulls.A trojan, which has similar functionality to the Skulls.A but uses different files.

Skulls.B is a malicious SIS file trojan that will replace the system applications with non-functional versions and drops SymbOS/Cabir.B worm in to the phone.

The Cabir dropped by Skulls.B does not activate automatically, but if user goes to the cabir icon in the phone menu and runs Cabir from there. The Cabir.B will activate and try to infect other phones.

The Original Skulls.B SIS file is named "Icons.SIS". Unlike Skulls.A, the Skulls.B variant does not show any pop-up messages during install (except the "Installation security warning - unable to verify supplier" message shown by the operating system).

The Skulls.B replaces standard application icons with generic application icon instead of skull and cross bones like Skulls.A did.

If Skulls.B is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS messaging, web browsing and camera no longer function. And in addition of applications being disabled the phone is also infected with Cabir.B, which fortunately, is not able to activate automatically.

If you have installed Skulls.B, the most important thing is not to reboot the phone and follow the disinfection instruction in this description.



Qdial.A

This Trojan on a phone is a cracked version of the Mosquitos game, which runs on phones using the Symbian Series 60 Platform.

It is obtained by downloading a copy of the game from the Internet or through peer-to-peer networks.

It sends an SMS message to specific premium rate numbers and can charge affected users for the sent messages. Apparently, the affected numbers are from the United Kingdom (UK), Germany, Netherlands, and Switzerland regions only.

Unlike worms, it does not spread itself to other contacts in the phone.



webmaster
tanx for the info patric....kaya guys beware sa pag on ng BT phone nyo smile.gif
zhy
to all of us.

be careful!!!

(buti nlang wa bluetooth cp me) biggrin.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2006 Invision Power Services, Inc.