NEWS FROM THE LAB - Friday, August 27, 2004

New information about how Cabir spreads. Posted by Jarno @ 13:31 GMT

As seen from the previous blog entries we have received second-hand reports of Cabir being spotted in the Philippines.

So we decided to go into a high-security RF shielded area and do extensive study on how Cabir replicates. And what we found is interesting and changes predictions on how Cabir would spread if it's in the wild.


Operation of Cabir Worm is fully independent from the GSM side of phones based on Symbian Series 60. The worm actually starts spreading even when phone is just started and user has not entered PIN code yet.

However the Cabir worm is capable of sending infected SIS files to only one phone per activation. So when Cabir is installed for the first time or the is phone restarted, the worm will look for the first Bluetooth device it can find and keeps sending repeated messages to that, effectively locking on to that phone.

When Cabir infects another Series 60 phone, this newly infected phone will start sending messages back to the phone that sent it the SIS file, even when the phone is not in range. Thus forming a 'tar pit' so that both infected phones wont look new targets before they are rebooted.

This means that the only scenario where Cabir can spread is that the phone that sent infected SIS file to new target is out of Bluetooth range before user activates the Cabir on the new phone (answers "Yes" to the installation query). This would happen, for example, in a busy street where people walk past
and are out of range before the user of the phone who received Cabir activates it.

Cabir will also try replicate to a new host every time the phone gets rebooted. So SymbOS/Cabir is capable of spreading - but not very quickly.

Cabir can infect only phones that are in discoverable mode, so setting your phone into hidden mode in Bluetooth settings will protect you from Cabir worm.