New Smartphone Worm
Spreads Via MMS, Bluetooth
NAME: Mabir.A
ALIAS: SymbOS/Mabir.A
Summar:
Mabir is a worm that operates on Symbian Series 60 devices, the Mabir worm is capable of spreading both over Bluetooth and MMS messages.
When Mabir.A infects a phone it will start searching other phones that in can reach over Bluetooth and send infected SIS files to the phones it finds.
The SIS files that files that Mabir.A sends have always the same file name "caribe.sis". Please note that while Mabir.A uses the name SIS file name as original Cabir worms, it is different worm than Cabir.
In addition of spreading over bluetooth the Mabir.A will also listen for any MMS or SMS messages that arrive to the infected phone. And respond to those messages with MMS message that contains Mabir as "info.sis".
The MMS messages that Mabir sends do not contain any text message, only the info.sis file
The MMS messages are multimedia messages that can be sent between Symbian phones and other phones that support MMS messaging. As the name says the MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.
Disinfection
F-Secure Mobile Anti-Virus detects Mabir.A and delete the worm components.
If your phone is infected with Mabir.A and you cannot install files over bluetooth, you can download F-Secure Mobile Anti-Virus directly to your phone
1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files
After disinfecting you phone, you can remove remaining empty directories by going to application manager and uninstalling the SIS file in which Mabir.A arrived (either caribe.sis or info.sis)
Detailed Description
Replication over bluetooth:
Mabir replicates over bluetooth in SIS files that are always named caribe.sis, the SIS file contains the worm component files caribe.app, caribe.rsc and flo.mdl.
The SIS file contains autostart settings that will automatically execute caribe.app after the SIS file is being installed, thus starting the worm.
When Mabir worm is activated it will start looking for other bluetooth devices, and start sending itself to first phone it finds. If target phone goes out of range or rejects file transfer, will still try to send messages to the same phone.
Replication over MMS:
Mabir replicates over MMS by sending MMS messages that contain infected SIS file to other users. The MMS messages contain Mabir SIS file with filename info.sis.
The MMS sending is triggered by MMS or SMS message that arrives to the phone, causing Mabir to send itself as MMS message to the number from which the message arrived from. Thus the Mabir tries to fool the receiver that it has been sent as reply to the message that user sent to the infected phone.
The Mabir worm does not use any texts in the MMS messages it sends.
Infection
When the Mabir SIS file is installed the installer will copy the worm executables into following locations:
\system\apps\Caribe\Caribe.app
\system\apps\Caribe\Caribe.rsc
\system\apps\Caribe\flo.mdl
When the Mabir.exe is executed it copies the following files:
\system\symbiansecuredata\caribesecuritymanager\Caribe.app
\system\symbiansecuredata\caribesecuritymanager\Caribe.rsc
And rebuilds it's SIS file to:
\system\symbiansecuredata\caribesecuritymanager\Info.sis
After recreating the SIS file the worm starts to look for all visible bluetooth devices and start waiting for arriving SMS or MMS messages.
Detection
F-Secure Mobile Anti-Virus is capable of detecting Mabir with generic detection using databases that were published on March 18th, 2005
Exact detection for Mabir.A was published on April 4th, 2005 in database build number 34.
Write-up: Jarno Niemela April 4th, 2005;
F-Secure Corporation