Symb/Cabir-H

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Peer-to-peer
Protection available since	28 December 2004 21:00:40 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

Symb/Cabir-H is a worm written specifically for Nokia Series 60 mobile phones running the Symbian operating system.

The worm spreads as a Symbian SIS package named velasco.sis. The package contains the following components extracted to the .\System\Apps, .\System\SYMBIANSECUREDATA and .\System\Recogs:

./system/apps/velasco/marcos.mdl
./system/apps/velasco/velasco.rsc
./system/apps/velasco/velasco.app
./system/SYMBIANSECUREDATA/VELASCO/velasco.rsc
./system/SYMBIANSECUREDATA/VELASCO/velasco.app
./system/SYMBIANSECUREDATA/VELASCO/velasco.sis
./system/Recogs/marcos.mdl

Marcos.mdl is a DLL that uses EZBoot mechanism to attempt to launch Symb/Cabir-H appliction file velasco.app when the device is powered on.

Once running Symb/Cabir-H attempts to send itself to bluetooth-enabled devices found in the proximity of the infected mobile phone. The user of the receiving device has to accept the file and then manually install it in order to infect the phone. Symbian operating system displays several security warnings during the installation of the infected file.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

Symb/Cabir-H

Summary

Action

More Information