היום קיבלתי תוך כדי שיחה הודעה למכשיר שלי (נוקיה 6600) שמישהוא מנסה לשלוח לי משהוא דרך בלוטו' אל המכשיר שלי.
עכשיו מה שהדליק לי נורה אדומה זה שברגע שמישהוא רוצה לשלוח למכשיר שלך משהוא דרך בלוטו' חייבים שני המכשירים לתאם סיסמא ביניהם ורק אז מתקבלת הודעה במכשיר שרוצים לשלוח לך הודעה דרך בלוטו' והמכשיר שואל אם לאשר או לא....
בקיצור ולעיניין מה שניסו לשלוח לי זה וירוס שנקרא Caribe.sis, הוירוס שולח את עצמו ממכשיר למכשיר דרך הבלוטו' למכשירים גלוים, נכנס למכשיר ומחפש עוד מכשירים דרכו שניתן לגלות אותם דרך הבלוטו'. כדי להימנע מזה השאירו את המכשירים שלכם לא גלוים או כבו את הבלוטו' שלכם במכשיר והשתמשו בו רק לצורך שלכם ובבקרת שלכם ! ! !
ראו הוזהרתם......
סיקור על הוירוס מאתר F-Secure
http://www.f-secure.com/v-descs/cabir.shtml
Cabir is a bluetooth using worm that runs in Symbian mobile phones that support Series 60 platform.
Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the Caribe.sis file the worm activates and starts looking for new devices to infect over bluetooth.
When Cabir worm finds another bluetooth device it willstart sending infected SIS files to it, and lock to that phone so that it won't look other phones even when the target moves out of range.
Please note that Cabir worm can reach only mobile phones that support bluetooth, and are in discoverable mode.
Setting you phone into non-discoverable (hidden) Bluetooth mode will protect your phone from Cabir worm.
But once the phone is infected it will try to infect other systems even as user tries to disable bluetooth from system settings.
When user clicks on the caribe.sis in phone messaging inbox the phone will display a warning dialog
If user clicks yes the phone will ask normal installation question
If user clicks yes the Cabir worm will activate and show a dialog that contains the name that virus author wants to give to the worm and the authors initialias and group initial 29A. Although it seems that in some phone models, for example Nokia 6600 this dialog is not shown.
Disinfection
F-Secure Anti-Virus for Symbian series 60 will detect the Cabir and delete the worm components. After deleting worm files you can delete this directory: c:\system\symbiansecuredata\caribesecuritymanager\
Or you can use our free disinfection tool, available from here as a Symbian SIS installation file which you can download directly to the phone:
1. Open web browser on the phone
3. Select link "Removal tool for Cabir"
4. Download the file and select open after download
5. Install F-Cabir tool
6. Go to applications menu and start F-Cabir
7. Select scan and answer yes when tool asks do you want to disinfect
Or you can download the file from our web site
Or here as a Zipped file:
Alternatively, you can disinfect the system manually by installing a file manager application and manually deleting these files:
c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
c:\system\recogs\flo.mdl
c:\system\symbiansecuredata\caribesecuritymanager\ caribe.app
c:\system\symbiansecuredata\caribesecuritymanager\ caribe.rsc
Replication
Cabir replicates over bluetooth in caribe.sis file that contains the worm main executable caribe.app, system recognizer flo.mdl and resource file caribe.rsc. The SIS file contains autostart settings that will automatically execute caribe.app after the SIS file is being installed.
The caribe.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range.
When the Cabir worm is activated it will start looking for other bluetooth devices, and starts sending infected caribe.sis files to the first device it finds. The replication routine in Cabir contains a bug that causes it to lock to first device it finds and it won't look for other devices.
This means that Cabir is capable of sending infected files to only one other device per activation. So Cabir will try to infect one other device when it is activated the first time, and then one more each time when the phone is rebooted.
Also in our tests we found that the newly infected phone will first look for the phone that sent the infected file. So Cabir is capable of spreading widely only in cases where the phone that sent the infected file is out of range before user activates the Cabir in a new phone.
Which means, that while Cabir is capable of spreading in the wild, it would spread quite slowly and would not cause large epidemic.
One curious fact is that in series 60 phones the bluetooth functionality is independent from the GSM side, and if phone is rebooted the cabir will try to spread even if user doesn't enter PIN code.
Infection
When the caribe.sis file is installed the installer will copy the worm executables into following locations:
c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
When the caribe.app is executed it copies the following files:
flo.mdl to c:\system\recogs
caribe.app to c:\system\symbiansecuredata\caribesecuritymanager\
caribe.rsc to c:\system\symbiansecuredata\caribesecuritymanager\
This is most likely done in case user installs the application to memory card.
Then the worm will recreate the caribe.sis file from worm component files and data blocks that are in caribe.app.
After recreating the caribe.sis file the worm starts to look for all visible bluetooth devices and send the SIS file to them.
Detection
Detection for this malware was published on June 15th, 2004 in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version] Version=2004-06-15_01 Detection for F-Secure Anti-Virus for Symbian series 60 has been published at 11:55 on June 15th, 2004 in database build number 7.
ראשי
צ'אט
06-04-2006, 16:54
מצב כלאיים
