SymbOS/Cabir.A!worm
Analysis
Specifics
This proof-of-concept virus is coded for Series
60 phones (such as Nokia 3620/3660/6600/6620 and others) using Bluetooth technology. It is coded for
Symbian OS and it's design is to load at phone boot
up and send itself to available devices (using Bluetooth). By
sending itself as a Symbian installation file (as CARIBE.SIS)
the receiving phone will recognize it as an installable
package.
Before the virus can be successful at infecting a phone, the virus must be first confirmed by the recipient; the recipient must accept the virus.
Loading At Nokia Phone Startup
When the virus is received and accepted, the phone may
then begin installing the installable package file.
It will extract to three files -
File | Install Location |
caribe.app | \system\apps\caribe\caribe.app |
flo.mdl | \system\apps\caribe\flo.mdl |
caribe.rsc | \system\apps\caribe\caribe.rsc |
The virus implements "EZBoot" - a method of initiating applications during phone boot process. The virus may also copy its files to these locations -
\system\symbiansecuredata\caribesecuritymanager\caribe.app
\system\symbiansecuredata\caribesecuritymanager\caribe.rsc
\system\symbiansecuredata\caribesecuritymanager\caribe.sis
\system\recogs\flo.mdl
UI Library Implementation
The virus uses libraries from the common Symbian OS
UI in order to function. These libraries include -
APPARC.DLL, APGRFX.DLL - used for Application architecture
APMIME.DLL - used as a MIME recognizer
BAFL.DLL - application utility library
BLUETOOTH.DLL - Bluetooth stack and communications
CONE.DLL, EIKCORE.DLL - user interface control and framework
EFSRV.DLL - used to serve files
EUSER.DLL - Kernel and user library
ESOCK.DLL - sockets and networking
IROBEX.DLL - (Infrared) IrDA stack
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
- Do not accept unsolicited applications which may be received by Infrared or other means
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |