Mabir is a worm that operates on Symbian Series 60 devices,
the Mabir worm is capable of spreading both over Bluetooth and MMS messages.
When Mabir.A infects a phone it will start searching other phones
that in can reach over Bluetooth and send infected SIS files to the
phones it finds.
The SIS files that files that Mabir.A sends have always the same file name
"caribe.sis". Please note that while Mabir.A uses the name SIS file name
as original Cabir worms, it is different worm than Cabir.
In addition of spreading over bluetooth the Mabir.A will also listen for
any MMS or SMS messages that arrive to the infected phone. And respond to
those messages with MMS message that contains Mabir as "info.sis".
The MMS messages that Mabir sends do not contain any text message, only
the info.sis file
The MMS messages are multimedia messages that can be sent between Symbian
phones and other phones that support MMS messaging. As the name says
the MMS messages are intended to contain only media content, such as
pictures, audio or video, but they can contain anything, including
infected Symbian installation files.
Disinfection
Disinfection
F-Secure Mobile Anti-Virus detects Mabir.A and delete the worm components.
If your phone is infected with Mabir.A and you cannot install files
over bluetooth, you can download F-Secure Mobile Anti-Virus directly
to your phone
1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files
After disinfecting you phone, you can remove remaining empty directories by
going to application manager and uninstalling the SIS file in which Mabir.A
arrived (either caribe.sis or info.sis)
Mabir replicates over bluetooth in SIS files that are always named caribe.sis,
the SIS file contains the worm component files caribe.app, caribe.rsc and flo.mdl.
The SIS file contains autostart settings that will automatically
execute caribe.app after the SIS file is being installed, thus starting the worm.
When Mabir worm is activated it will start looking for other
bluetooth devices, and start sending itself to first phone it
finds. If target phone goes out of range or rejects file
transfer, will still try to send messages to the same phone.
Replication over MMS
Mabir replicates over MMS by sending MMS messages that contain
infected SIS file to other users. The MMS messages contain
Mabir SIS file with filename info.sis.
The MMS sending is triggered by MMS or SMS message that arrives to the phone,
causing Mabir to send itself as MMS message to the number from which the
message arrived from. Thus the Mabir tries to fool the receiver that it has
been sent as reply to the message that user sent to the infected phone.
The Mabir worm does not use any texts in the MMS messages it sends.
Infection
When the Mabir SIS file is installed the installer will copy the
worm executables into following locations:
![](/images/pixel.gif"){kind=tracking}
