NEWS FROM THE LAB - Friday, December 3, 2004

Sorting out Cabir/Camtimer mess Posted by Jarno @ 12:01 GMT

The situation with repacked versions of Cabir.B is getting rather confusing. Some companies are talking about Cabir.B being in Camtimer.sis file, while others are talking about viruses called "Camtimer.A" and "Camtimer.B". So it's time to bring some order to this mess.

The malware in question here is SymbOS/Cabir.B, which some 'clever' people have packed into different SIS files using a Symbian tool called makeSIS.

Putting something into a SIS file is something like making Java JAR archive or Microsoft MSI installation file; you are making an archive file with extra information that is read by the system installer. So repacking Cabir.B into a new SIS file does not make a new Cabir variant, yet alone a new malware.

A SIS file contains quite a lot of properties information and one can do interesting things with just a SIS file, as we have seen with Skulls.A and Skulls.B. So it is easy to get confused.

Here's a list of Cabir.B's we have seen so far:

Original Caribe.B

Shows pop-up text "3d_OIDI500 by www.XXX.XXX.cn". Renames Cabir.app into OIDI500.app and contains AIF file that changes the Cabir icon to look like a bag of gold. Renaming breaks the Cabir.B functionality. As an end result, instead of sending copies of itself via Bluetooth, it sends files with zero lenght.

Shows pop-up text "This is advanced camera timer for your phone". Installs Cabir.B and Camtimer camera timer software from Nokia. The Cabir.B is not set to start automatically on SIS install and is installed into wrong directory, so that it won't start when phone reboots. If user clicks on the icon manually, Cabir will start, and will spread as Caribe.sis - which contains only the Cabir.B executables. The same Camtimer.sis file is also found inside Skulls.B's SIS file, and is copied into system when Skulls.B is installed.

There exists also another version of Camtimer.SIS that some companies call Camtimer.B. We haven't got a sample of this one yet, but it appears to be almost identical to the one described above, with the exception that it installs Cabir.B into correct directory for it to start automatically. But this does not make it a new malware.