Content

SymbOS/Cabir.h

Type
Virus
SubType
PDA Device
Discovery Date
12/27/2004
Length
approx 7kB (dropper)
Minimum DAT
4417 (12/29/2004)
Updated DAT
4785 (06/15/2006)
Minimum Engine
5.1.00
Description Added
12/30/2004
Description Modified
12/31/2004 4:53 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

New variants of SymbOS/Cabir (h, i, j) have been discovered all of which are very similar. (Minor differences between them may be accounted for by recompilation.) These new variants are also similar to their predecessors . They bear the following characteristics:

  • use Bluetooth communication to transmit itself from one phone to another in form of a SIS package (dropper)
  • the SIS package is likely to have the name VELASCO.SIS
  • the manner in which the worm attempts to connect to other machines results in it only being successful for Series 60 phones.

Replication has been confirmed on the following devices:

  • Nokia 6600
  • Nokia 3650

The main dropper SIS package for all four variants are detected as SymbOS/Cabir.gen with the specific DATs. The MDL file each drops and uses is detected as SymbOS/Cabir!ezboot.h and SymbOS/Cabir!ezboot.i (3 of the 4 use the exact same MDL file).

Symptoms

  • Unlike earlier Cabir variants, with these latest there is no popup dialog displayed upon infection. The dialog displays a "velasco" application header bar and the content of the messaging application underneath:

     
  • Existence of the following files/directories:
    • c:\system\apps\velasco
    • c:\system\symbiansecuredata\velasco
    • c:\system\recogs\marcos.mdl
  • rapid draining of battery in phone
  • legitimate Bluetooth communications failing (essentially denial of serviced by the virus' repeated attempts at connections) 

Method of Infection

Bluetooth Propagation

The worm attempts to connect to RFCOMM port number 9 which corresponds to "OBEX Object Push" profile on Nokia 'Series60' devices. It does not use SDP protocol to verify the location of the service so it will fail to successfully transmit itself to Bluetooth devices from other manufacturers (even those capable of OBEX transfers).

If the transmission is accepted (this requires a human to confirm acceptance!) the VELASCO.SIS package will be installed on the target device and the worm will start running.

Installation

When the main SIS package is installed, the following files are installed onto the device:

  • c:\system\apps\velasco\marcos.mdl (boot hook)
  • c:\system\apps\velasco\velasco.rsc (resource file)
  • c:\system\apps\velasco\velasco.app (application)

When the worm runs, the boot hook file is copied to the correct location:

  • c:\system\recogs

Interestingly, these variants share a bug with the original Cabir - the boot hook does not work on the 6600 (S60 2.x) platforms.

The application and resource files are also copied when the worm runs, to the following directory:

  • c:\system\symbiansecuredata\velasco\

These variants also are intended to remove older variants if they exist on the phone. The following files are deleted if they exist:

  • caribe.app
  • caribe.rsc
  • flo.mdl
  • caribe.sis

from the following directories:

  • c:\system\apps\caribe\
  • c:\system\symbiansecuredata\caribesecuritymanager\
  • c:\system\recogs\
  • c:\system\installs\
  • c:\system\install\
  • c:\nokia\installs\

Additionally, these directories are removed entirely if they are present:

  • c:\system\apps\caribe\
  • c:\system\symbiansecuredata\caribesecuritymanager\

Removal

Clean up steps require that a third party file manager application capable of reading and writing to the system directories be installed on the phone.

Note that on the Nokia 6600 (and possibly other Series 60 2.x devices); the boot hook does not work. On these devices, the worm can be rendered inert simply by rebooting and uninstalling the application. The infected files will be left on the drive, but they cannot be executed in such a state.

  1. Using a file manager, delete the boot hook:
    • c:\system\recogs\marcos.mdl
  2. Reboot
  3. Use the Manager application to uninstall "velasco".
  4. Using a file manager, delete the following directory and all of its contents:
    • c:\system\symbiansecuredata\velasco

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    New variants of SymbOS/Cabir (h, i, j) have been discovered all of which are very similar. (Minor differences between them may be accounted for by recompilation.) These new variants are also similar to their predecessors . They bear the following characteristics:

    • use Bluetooth communication to transmit itself from one phone to another in form of a SIS package (dropper)
    • the SIS package is likely to have the name VELASCO.SIS
    • the manner in which the worm attempts to connect to other machines results in it only being successful for Series 60 phones.

    Replication has been confirmed on the following devices:

    • Nokia 6600
    • Nokia 3650

    The main dropper SIS package for all four variants are detected as SymbOS/Cabir.gen with the specific DATs. The MDL file each drops and uses is detected as SymbOS/Cabir!ezboot.h and SymbOS/Cabir!ezboot.i (3 of the 4 use the exact same MDL file).

    Symptoms

    Symptoms -

    • Unlike earlier Cabir variants, with these latest there is no popup dialog displayed upon infection. The dialog displays a "velasco" application header bar and the content of the messaging application underneath:

       
    • Existence of the following files/directories:
      • c:\system\apps\velasco
      • c:\system\symbiansecuredata\velasco
      • c:\system\recogs\marcos.mdl
    • rapid draining of battery in phone
    • legitimate Bluetooth communications failing (essentially denial of serviced by the virus' repeated attempts at connections) 

    Method of Infection

    Method of Infection -

    Bluetooth Propagation

    The worm attempts to connect to RFCOMM port number 9 which corresponds to "OBEX Object Push" profile on Nokia 'Series60' devices. It does not use SDP protocol to verify the location of the service so it will fail to successfully transmit itself to Bluetooth devices from other manufacturers (even those capable of OBEX transfers).

    If the transmission is accepted (this requires a human to confirm acceptance!) the VELASCO.SIS package will be installed on the target device and the worm will start running.

    Installation

    When the main SIS package is installed, the following files are installed onto the device:

    • c:\system\apps\velasco\marcos.mdl (boot hook)
    • c:\system\apps\velasco\velasco.rsc (resource file)
    • c:\system\apps\velasco\velasco.app (application)

    When the worm runs, the boot hook file is copied to the correct location:

    • c:\system\recogs

    Interestingly, these variants share a bug with the original Cabir - the boot hook does not work on the 6600 (S60 2.x) platforms.

    The application and resource files are also copied when the worm runs, to the following directory:

    • c:\system\symbiansecuredata\velasco\

    These variants also are intended to remove older variants if they exist on the phone. The following files are deleted if they exist:

    • caribe.app
    • caribe.rsc
    • flo.mdl
    • caribe.sis

    from the following directories:

    • c:\system\apps\caribe\
    • c:\system\symbiansecuredata\caribesecuritymanager\
    • c:\system\recogs\
    • c:\system\installs\
    • c:\system\install\
    • c:\nokia\installs\

    Additionally, these directories are removed entirely if they are present:

    • c:\system\apps\caribe\
    • c:\system\symbiansecuredata\caribesecuritymanager\

    Removal -

    Removal -

    Clean up steps require that a third party file manager application capable of reading and writing to the system directories be installed on the phone.

    Note that on the Nokia 6600 (and possibly other Series 60 2.x devices); the boot hook does not work. On these devices, the worm can be rendered inert simply by rebooting and uninstalling the application. The infected files will be left on the drive, but they cannot be executed in such a state.

    1. Using a file manager, delete the boot hook:
      • c:\system\recogs\marcos.mdl
    2. Reboot
    3. Use the Manager application to uninstall "velasco".
    4. Using a file manager, delete the following directory and all of its contents:
      • c:\system\symbiansecuredata\velasco

      Variants

      Variants -

        N/A