SymbOS.Cabir.M

SymbOS.Cabir.M is a proof-of-concept worm that replicates on Series 60 phones. The worm is a minor variant of SymbOS.Cabir.

The only differences are:

• The worm spreads as free$8.SIS.
• The worm creates the file $$$.MDL instead of FLO.MDL.
• The worm creates the folder C:\SYSTEM\MALAYSIAJOHOR--jb\yuanV3-diy-by-7022207
  instead of C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER.
• The worm displays the following message after infection:
  
  free$8

The worm repeatedly sends itself to the first Bluetooth-enabled device that it can find, regardless of the type of device. For example, even a Bluetooth-enabled printer will be attacked if it is within range.

The worm spreads as a .SIS file, which is installed into the APPS directory. There is no payload, apart from the vastly shortened battery life caused by the constant scanning for Bluetooth-enabled devices.



Symantec recommends the following to protect against this threat:

• If Bluetooth is not required, it should be turned off.
• If you require the use of Bluetooth, ensure that the device's visibility setting is set to "Hidden" so that it can not be scanned by other Bluetooth devices.
• Avoid use of device pairing. If it must be used, ensure that all paired devices are set to "Unauthorized". This requires each connection request to be authorized by the user.
• Do not accept unsigned applications (no digital signature) or applications sent from unknown sources. Be absolutely sure of the origin of the application before accepting it.