McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Caribe.sis

• EPOC.Cabir (NAV)

• EPOC_CABIR (Trend)

• Symbian.Cabir.gen

• Symbian/Cabir.a

• Symbian/Cabir.b

• Symbian/Cabir.rsc

• Worm.Symbian.Cabir (AVP)

Characteristics

-- Update 10 December 2004 --

Several new variants were discovered. They were distributed in two SIS files - "OIDI500.SIS" (9,871 bytes) and "Norton AntiVirus 2004 Professional.SIS" (99,413 bytes). The first package installs old SymbOS/Cabir.b variant. The second is a multi-dropper. It installs 4 different applications on a mobile device by dropping 3 SIS packages (that contain 3 virus variants, one of which is old .b variant) and several identical applications containing another new virus variant. Here are the names and sizes of dropped files:

b: COMCODER.SIS (15,092) CARIBE.APP (11,932)
c: IMAGES01.SIS,002.SIS (15,092) MYTITI.APP (11,932)
d: (YUAN).APP, FILE.APP, SYSTEMEX.APP, SMARTFIL.APP, FEXPLORE.APP, SMARTMOVE.APP (all identical - 11,932 bytes)
e: AUTOEXEC.SIS (15,092) NI_AI-.APP (11,932)

The system hook (FLO.MDL of 2,544 bytes in size) is used to hook into the startup sequence of the infected mobile device. Virus modifies "C:\SYSTEM\SYMBIANSECUREDATA" contents - for details please refer to the removal section.

--

This worm is a proof of concept. It uses Bluetooth communication to transmit itself in the form of a Symbian SIS package from one mobile phone to another. The worm will only work on 'Series60' mobile devices. Propagation was confirmed on Nokia 3650, 6600 and N-Gage.

There are two variants known with the following characteritics (size in bytes):

a: CARIBE.SIS (15,104) CARIBE.APP (11,944)
b: CARIBE.SIS (15,092), CARIBE.APP (11,932)

They have the same functionality and are only different because the shorter variant had a reference to the virus-writing group removed.

These worms do not pose any significant threat because:

• Bluetooth communication is not usually enabled by default (set to "undiscoverable")
• the range of transmission is rather short which would seriously inhibit propagation
• standard Bluetooth pairing mechanism applies (so any non-paired devices need PIN for access)
• CARIBE.SIS installation file is not signed so the dialog box appears when the worm is sent:

• User is prompted to install the worm too:

Symptoms

Periodic Bluetooth activity (every 15-20 seconds) originating from an infected mobile device.

There is no malicious payload. The worm, however, seriously reduces battery life. It also monopolizes the phone's Bluetooth subsystem, denying access to legitimate transfers involving the infected device.

The SIS package installs the following files in SYSTEM\APPS\CARIBE:

• CARIBE.APP (11,944 or 11,932 bytes)
• CARIBE.RSC (44 bytes)
• FLO.MDL (2,544 bytes)

When the worm activates it copies these files into a hidden directory SYSTEM\SYMBIANSECUREDATA\
CARIBESECURITYMANAGER\.

Two more files appear on the system:

• SYSTEM\INSTALL\CARIBE.SIS (SIS installer metafile, 572 bytes)
• SYSTEM\RECOGS\FLO.MDL (boot hook)

Worm runs immediately after installation (even if the boot hook does not work on a particular 'Series60' phone):

Method of Infection

When the worm is installed it launches automatically. The worm also hooks into the system boot sequence (via "MIME Recognizer" mechanism) so that it activates when a mobile device is turned on and displays a message box:

The worm attempts to connect to RFCOMM port number 9 which corresponds to "OBEX Object Push" profile on Nokia 'Series60' devices. It does not use SDP protocol to verify the location of the service so it will fail to successfully transmit itself to Bluetooth devices from other manufacturers (even those capable of OBEX transfers).

If the transmission is accepted (this requires a human to press "OK"!) the CARIBE.SIS package will be installed on the target device and the worm will start running.

For the worm to operate the device must have AVKON.DLL (standard 'Series60' only library) installed. For other Symbian OSes the library name is EIKON.DLL and that is why the worm will only operate on 'Series60' devices.

Removal

Variants A-B

Clean up steps require that a third party file manager application capable of reading and writing to the system directories be installed on the phone.

Note that on Nokia 6600 (and possibly other Series 60 2.x devices), the boot hook does not work. On these devices the worm can be rendered inert simply by rebooting and uninstalling the application. The infected files will be left on the drive but they cannot be executed in such a state.

To remove the worm the following steps can be taken:

• Using a file manager remove the boot hook C:\SYSTEM\RECOGS\FLO.MDL

• Reboot the device

• Use the "Manager" application to uninstall "Caribe" application

• Using a file manager remove all files from C:\SYSTEM\SYMBIANSECUREDATA\
  CARIBESECURITYMANAGER

Variants C-E

For variants C, D and E the folders to be cleaned within C:\SYSTEM\SYMBIANSECUREDATA\ are:

• c: MYTITISECURITYMANAGER

• d: [YUAN]SECURITYMANAGER

• e: ni&ai-SECURITYMANAGER

Variants L-T

Removing these variants requires a third party file manager application capable of reading and writing to the system directories to be installed on the device.

Note that on the Nokia 6600 (and possibly other Series 60 2.x devices); the worm's boot hook does not work. On these devices, the worm can be rendered inert simply by rebooting and uninstalling the application.  The infected files will be left on the drive, but they cannot be executed in such a state.

The following instructions apply to variants L through T. Where (variant specific) is mentioned, please refer to the filenames listed in the characteristics section specific to the variant that has infected your device.

• Using a file manager, delete the (variant specific) .MDL file located in the following folder:

System\recogs

• Reboot the device

• Using a file manager, delete the following directory and all files

System\apps\(variant specific)

 

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Caribe.sis

• EPOC.Cabir (NAV)

• EPOC_CABIR (Trend)

• Symbian.Cabir.gen

• Symbian/Cabir.a

• Symbian/Cabir.b

• Symbian/Cabir.rsc

• Worm.Symbian.Cabir (AVP)

Characteristics

Characteristics -

-- Update 10 December 2004 --

Several new variants were discovered. They were distributed in two SIS files - "OIDI500.SIS" (9,871 bytes) and "Norton AntiVirus 2004 Professional.SIS" (99,413 bytes). The first package installs old SymbOS/Cabir.b variant. The second is a multi-dropper. It installs 4 different applications on a mobile device by dropping 3 SIS packages (that contain 3 virus variants, one of which is old .b variant) and several identical applications containing another new virus variant. Here are the names and sizes of dropped files:

b: COMCODER.SIS (15,092) CARIBE.APP (11,932)
c: IMAGES01.SIS,002.SIS (15,092) MYTITI.APP (11,932)
d: (YUAN).APP, FILE.APP, SYSTEMEX.APP, SMARTFIL.APP, FEXPLORE.APP, SMARTMOVE.APP (all identical - 11,932 bytes)
e: AUTOEXEC.SIS (15,092) NI_AI-.APP (11,932)

The system hook (FLO.MDL of 2,544 bytes in size) is used to hook into the startup sequence of the infected mobile device. Virus modifies "C:\SYSTEM\SYMBIANSECUREDATA" contents - for details please refer to the removal section.

--

This worm is a proof of concept. It uses Bluetooth communication to transmit itself in the form of a Symbian SIS package from one mobile phone to another. The worm will only work on 'Series60' mobile devices. Propagation was confirmed on Nokia 3650, 6600 and N-Gage.

There are two variants known with the following characteritics (size in bytes):

a: CARIBE.SIS (15,104) CARIBE.APP (11,944)
b: CARIBE.SIS (15,092), CARIBE.APP (11,932)

They have the same functionality and are only different because the shorter variant had a reference to the virus-writing group removed.

These worms do not pose any significant threat because:

• Bluetooth communication is not usually enabled by default (set to "undiscoverable")
• the range of transmission is rather short which would seriously inhibit propagation
• standard Bluetooth pairing mechanism applies (so any non-paired devices need PIN for access)
• CARIBE.SIS installation file is not signed so the dialog box appears when the worm is sent:

• User is prompted to install the worm too:

Symptoms

Symptoms -

Periodic Bluetooth activity (every 15-20 seconds) originating from an infected mobile device.

There is no malicious payload. The worm, however, seriously reduces battery life. It also monopolizes the phone's Bluetooth subsystem, denying access to legitimate transfers involving the infected device.

The SIS package installs the following files in SYSTEM\APPS\CARIBE:

• CARIBE.APP (11,944 or 11,932 bytes)
• CARIBE.RSC (44 bytes)
• FLO.MDL (2,544 bytes)

When the worm activates it copies these files into a hidden directory SYSTEM\SYMBIANSECUREDATA\
CARIBESECURITYMANAGER\.

Two more files appear on the system:

• SYSTEM\INSTALL\CARIBE.SIS (SIS installer metafile, 572 bytes)
• SYSTEM\RECOGS\FLO.MDL (boot hook)

Worm runs immediately after installation (even if the boot hook does not work on a particular 'Series60' phone):

Method of Infection

Method of Infection -

When the worm is installed it launches automatically. The worm also hooks into the system boot sequence (via "MIME Recognizer" mechanism) so that it activates when a mobile device is turned on and displays a message box:

The worm attempts to connect to RFCOMM port number 9 which corresponds to "OBEX Object Push" profile on Nokia 'Series60' devices. It does not use SDP protocol to verify the location of the service so it will fail to successfully transmit itself to Bluetooth devices from other manufacturers (even those capable of OBEX transfers).

If the transmission is accepted (this requires a human to press "OK"!) the CARIBE.SIS package will be installed on the target device and the worm will start running.

For the worm to operate the device must have AVKON.DLL (standard 'Series60' only library) installed. For other Symbian OSes the library name is EIKON.DLL and that is why the worm will only operate on 'Series60' devices.

Removal -

Removal -

Variants A-B

Clean up steps require that a third party file manager application capable of reading and writing to the system directories be installed on the phone.

Note that on Nokia 6600 (and possibly other Series 60 2.x devices), the boot hook does not work. On these devices the worm can be rendered inert simply by rebooting and uninstalling the application. The infected files will be left on the drive but they cannot be executed in such a state.

To remove the worm the following steps can be taken:

• Using a file manager remove the boot hook C:\SYSTEM\RECOGS\FLO.MDL

• Reboot the device

• Use the "Manager" application to uninstall "Caribe" application

• Using a file manager remove all files from C:\SYSTEM\SYMBIANSECUREDATA\
  CARIBESECURITYMANAGER

Variants C-E

For variants C, D and E the folders to be cleaned within C:\SYSTEM\SYMBIANSECUREDATA\ are:

• c: MYTITISECURITYMANAGER

• d: [YUAN]SECURITYMANAGER

• e: ni&ai-SECURITYMANAGER

Variants L-T

Removing these variants requires a third party file manager application capable of reading and writing to the system directories to be installed on the device.

Note that on the Nokia 6600 (and possibly other Series 60 2.x devices); the worm's boot hook does not work. On these devices, the worm can be rendered inert simply by rebooting and uninstalling the application.  The infected files will be left on the drive, but they cannot be executed in such a state.

The following instructions apply to variants L through T. Where (variant specific) is mentioned, please refer to the filenames listed in the characteristics section specific to the variant that has infected your device.

• Using a file manager, delete the (variant specific) .MDL file located in the following folder:

System\recogs

• Reboot the device

• Using a file manager, delete the following directory and all files

System\apps\(variant specific)

 

Variants

Variants -

N/A