Disklabs Data Recovery Data Recovery Testimonials
Search Disklabs.com
Data Recovery RAID Data Recovery Computer Forensics and Mobile Phone Forensics Mobile Phone and SIM / USIM Recovery and Forensics Computer Forensics Training Data Recovery or Computer Forensics problems? Contact Disklabs Other Data Recovery Items
Data Recovery and Computer Forensics UK Data Recovery and Computer Forensics NL NetherlandsData Recovery and Computer Forensics NZ New Zealand

Virus Descriptions: Cabir

NAME: Cabir
ALIAS: EPOC/Cabir.A, Worm.Symbian.Cabir.a

Cabir is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.

Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the SIS file the worm activates and starts looking for new devices to infect over bluetooth.

Please note that Caribe worm can reach only mobile phones that support bluetooth, have bluetooth switched on, and are in discoverable mode.

But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.

When user clicks on the caribe.sis in phone messaging inbox the phone will display a warning dialog

If user clicks yes the phone will ask normal installation question

If user clicks yes the Cabir worm will activate and show a dialog that contains the name that virus author wants to give to the worm and the authors initialias and group initial 29A

Details

Cabir replicates over bluetooth in caribe.sis file that contains the worm main executable caribe.app, system recognizer flo.mdl and resource file caribe.rsc. The SIS file contains autostart settings that will automatically execute caribe.app after the SIS file is being installed.

When the caribe.sis file is installed the installer will copy the worm executables into following locations:
c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl

When the caribe.app is executed it copies the following files:
flo.mdl to c:\system\recogs
caribe.app to c:\system\symbiansecuredata\caribesecuritymanager\
caribe.rsc to c:\system\symbiansecuredata\caribesecuritymanager\

This is most likely done in case user installs the application to memory card.

Then the worm will recreate the caribe.sis file from worm component files and data blocks that are in caribe.app.

After recreating the caribe.sis file the worm starts to look for all visible bluetooth devices and send the SIS file to them.

Write-up: Jarno Niemela,Sami Rautiainen, Katrin Tocheva, June 15th, 2004;

Technical Details: Jarno Niemela, Tero Jaasko June 15th, 2004;

Published with the kind permission of Matt Pearsey, F-Secure Corporation .
© F-Secure Corp. 2004.

Disklabs can recover data from Mobile Phones - click here for more information.

 

Disklabs Data Recovery Service accredited by:

Accredited by Seagate Accredited by Western Digital Accredited by FujitsuMember of PC AssociationClean FacilityMobile Phone ForensicsComputer ForensicsSat Nav Forensics Hard Disk Repair

Site Map | Computer Forensics Training | About Us | SCSI Data Recovery

By using this website you agree to be bound by our terms and conditions.
© Disklabs 2004, All rights reserved. Please contact us with any comments or questions.

Instant Data Recovery Quote

Name

Company

Telephone Number

E-Mail

Data Type

Device Type

Cause

Configuration

Referrer


Disklabs Partner ID or
Brigantia Member ID
(Where appropriate)


Click here for a video demonstration of this facility. (Windows Media, 504Kb)

CONTACT US

Live chat by Boldchat Live chat by Boldchat

Skype Call :
Sales, Support, Forensics
 
LATEST NEWS

Welcome to the new Disklabs site. We have several new features onboard, such as a poll on Hard Drive opinions on the main page.

Download a video of a drive in our clean facility which has a head crash, the drive still tries to seek.

We have some information on the new Cabir virus, a sneaky application that infects mobile phones.