Symb/Cabir-I is a worm written specifically for Nokia Series 60 mobile phones running the Symbian operating system.
The worm spreads as a Symbian SIS package named velasco.sis. The package contains the following components extracted to the .\System\Apps, .\System\SYMBIANSECUREDATA\VELASCO and .\System\Recogs:
./system/apps/velasco/marcos.mdl
./system/apps/velasco/velasco.rsc
./system/apps/velasco/velasco.app
./system/SYMBIANSECUREDATA/VELASCO/velasco.rsc
./system/SYMBIANSECUREDATA/VELASCO/velasco.app
./system/SYMBIANSECUREDATA/VELASCO/velasco.sis
./system/Recogs/marcos.mdl
Marcos.mdl is a DLL that uses EZBoot mechanism to attempt to launch Symb/Cabir-I appliction file velasco.app when the device is powered on.
Once running Symb/Cabir-I attempts to send itself to bluetooth-enabled devices found in the proximity of the infected mobile phone. The user of the receiving device has to accept the file and then manually install it in order to infect the phone. Symbian operating system displays several security warnings during the installation of the infected file.