Cabir.AA
| Name : | Cabir.AA |
| Category: | Malware |
| Type: | Virus |
| Platform: | SymbOS |
Summary
Cabir.AA is a variant of SymbOS/Cabir worm that is recompiled from original
Cabir source code. Functionally it is very similar to original Cabir, with
the exception that it shows image on worm startup.
Cabir.AA replicates over bluetooth connections and arrives
to phone messaging inbox as INBOX.sis file what contains the worm.
When user clicks the INBOX.sis and chooses to install the Caribe.sis
file the worm activates and starts looking for new devices to infect
over bluetooth.
When Cabir.AA worm finds another bluetooth device it starts sending
infected SIS files to it, and lock to that phone so that
it won't look other phones even when the target moves out of range.
Please note that Cabir.AA worm can reach only mobile phones that support
bluetooth, and are in discoverable mode.
Setting you phone into non-discoverable (hidden) Bluetooth mode
will protect your phone from Cabir.AA worm.
But once the phone is infected it will try to infect other systems
even as user tries to disable bluetooth from system settings.
When user clicks on the caribe.sis in phone messaging inbox
the phone will display a warning dialog
If user clicks yes the phone will ask normal installation question
If user clicks yes the Cabir.AA worm will activate and show a dialog
that contains text "Spooky !!!"
Cabir source code. Functionally it is very similar to original Cabir, with
the exception that it shows image on worm startup.
Cabir.AA replicates over bluetooth connections and arrives
to phone messaging inbox as INBOX.sis file what contains the worm.
When user clicks the INBOX.sis and chooses to install the Caribe.sis
file the worm activates and starts looking for new devices to infect
over bluetooth.
When Cabir.AA worm finds another bluetooth device it starts sending
infected SIS files to it, and lock to that phone so that
it won't look other phones even when the target moves out of range.
Please note that Cabir.AA worm can reach only mobile phones that support
bluetooth, and are in discoverable mode.
Setting you phone into non-discoverable (hidden) Bluetooth mode
will protect your phone from Cabir.AA worm.
But once the phone is infected it will try to infect other systems
even as user tries to disable bluetooth from system settings.
When user clicks on the caribe.sis in phone messaging inbox
the phone will display a warning dialog
If user clicks yes the phone will ask normal installation question
If user clicks yes the Cabir.AA worm will activate and show a dialog
that contains text "Spooky !!!"
Disinfection
Disinfection
F-Secure Mobile Anti-Virus will detect the Cabir and delete the worm components. The Anti-Virus is avaiable from http://mobile.f-secure.com for install thorugh PC or direct download with phone.
Kill the Cabir process so that your phone doesn't spread the worm during time taken for disinfection:
1. Press the phone menu button for 5 seconds to get process menu
2. Select the process "Spooky"
3. Press 'C' to terminate the process and answer yes.
Instructions for direct download:
1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files
8. Reboot your phone to kill Cabir.AA that might be still running
Additional Details
Replication
Cabir.AA replicates over bluetooth in inbox.sis file that contains the worm main executable spooky.app, system recognizer ezrecog.mdl, resource file spooky.rsc and bitmap image spooky.mbm. The SIS file contains autostart settings that will automatically execute spooky.app after the SIS file is being installed.
The inbox.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.
When the Cabir.AA worm is activated it will start looking for other bluetooth devices, and starts sending infected inbox.sis files to the first device it finds.