Virus

SymbOS/Cabir.A!worm

Analysis

Specifics
This proof-of-concept virus is coded for Series 60 phones (such as Nokia 3620/3660/6600/6620 and others) using Bluetooth technology. It is coded for Symbian OS and it's design is to load at phone boot up and send itself to available devices (using Bluetooth). By sending itself as a Symbian installation file (as CARIBE.SIS) the receiving phone will recognize it as an installable package.

Before the virus can be successful at infecting a phone, the virus must be first confirmed by the recipient; the recipient must accept the virus.

Loading At Nokia Phone Startup
When the virus is received and accepted, the phone may then begin installing the installable package file. It will extract to three files -

File	Install Location
caribe.app	\system\apps\caribe\caribe.app
flo.mdl	\system\apps\caribe\flo.mdl
caribe.rsc	\system\apps\caribe\caribe.rsc

The virus implements "EZBoot" - a method of initiating applications during phone boot process. The virus may also copy its files to these locations -

\system\symbiansecuredata\caribesecuritymanager\caribe.app
\system\symbiansecuredata\caribesecuritymanager\caribe.rsc
\system\symbiansecuredata\caribesecuritymanager\caribe.sis
\system\recogs\flo.mdl

UI Library Implementation
The virus uses libraries from the common Symbian OS UI in order to function. These libraries include -

APPARC.DLL, APGRFX.DLL - used for Application architecture
APMIME.DLL - used as a MIME recognizer
BAFL.DLL - application utility library
BLUETOOTH.DLL - Bluetooth stack and communications
CONE.DLL, EIKCORE.DLL - user interface control and framework
EFSRV.DLL - used to serve files
EUSER.DLL - Kernel and user library
ESOCK.DLL - sockets and networking
IROBEX.DLL - (Infrared) IrDA stack

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Do not accept unsolicited applications which may be received by Infrared or other means

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date	Version	Detail
2023-02-27	91.00977
2020-01-06	74.33900	Sig Updated
2019-11-26	73.36400	Sig Updated

ID	7334
Released	Jun 14, 2004
Description Updated	Jul 10, 2008
Aliases	Caribe.sis, Symb/Cabir-B [Sophos], SymbOS.Cabir [NAV], SymbOS.Worm.Cabir.A [ClamAV], SymbOS/Cabir, SymbOS/Cabir!ezboot [McAfee], SymbOS/Cabir.A!worm, SymbOS/Cabir.A-net, SymbOS/Cabir.A-tr, SymbOS/Cabir.A-wm, SymbOS_Cabir.A [Trend], Worm.Symbos.Cabir.A [Bit
Platform Profile	Symbian OS
Profile Type	Worm (worm)

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Virus

SymbOS/Cabir.A!worm

Analysis

Recommended Action

Telemetry

Detection Availability

Version Updates

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

Virus

SymbOS/Cabir.A!worm

Analysis

Recommended Action

Telemetry

Detection Availability

Version Updates

Threat Intelligence
Center