RealTime IT News

New Cabir Variants are Spreading Fast

Finnish antivirus firm F-Secure has detected two new fast spreading variants of the Cabir virus that infects cell phones using the Symbian operating system.

The company said the new variants, Cabir.H and Cabir.I, have fixed a flaw that slowed the previous Cabir virus from spreading rapidly. The original Cabir, dubbed Cabir.A, moved only to one new phone with each reboot. But the latest versions do not have the same restrictions, and appear capable of spreading to an unlimited number of phones per reboot.

Once a phone is infected, it is is capable of searching for other vulnerable phones using its Bluetooth wireless connection and transmitting a file that contains the network worm, according to F-Secure.

"We are getting into an issue that it is now in the wild and users have told their phones to accept any Bluetooth applications," Travis Witteveen, vice president of Americas for F-Secure, told internetnews.com. Witteveen said the new wrinkle in the worm exploits the very nature of how cell phones are intended to be used.

"When the phones are mobile they constantly are seeing Bluetooth applications and attacking them," he said.

As previously reported by internetnews.com, the Cabir viruses are transmitted as an SIS file (Symbian OS distribution file) and disguised as a Caribe Security Manager utility.

The Symbian OS can be found in some phones made by Nokia, Siemens, Sony Ericsson, Motorola and Panasonic. F-Secure estimates 20 million cell phones use Symbian.

As soon as the virus spots a suitable target, the worm sends itself there as a Bluetooth file transmission and continues to send itself as long as the phone remains in range, said Witteveen. Once the target phone leaves the area, Cabir.H and Cabir.I move on to new targets and continue to spread in that area.

"This means that in conditions where people move around and new phones come in contact with each other, the Cabir.H and Cabir.I can spread quite rapidly. Cabir is a Bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform," F-Secure said in a report.

However, several conditions must exist before it is possible to be infected by Cabir. A cell phone has to be using Symbian Series 60 software and have the Bluetooth wireless feature on "discoverable" mode, said Witteveen.

Although the new Cabirs do not carry a malicious payload, the virus's block all Bluetooth connectivity and will drain a phone battery, according to the F-Secure report.

"These new variants seem to be recompiled versions based on original Cabir source code," F-Secure said. "Which means that the Cabir source code is floating around in the underground. Which is bad news. We didn't know the sources were out there, and we've never seen them."

The Cabir virus first appeared in June, infecting only phones using the Symbian operating system.

F-Secure said the virus made its way into the wild after the writer posted variants on a Web page.