NEWS FROM THE LAB - Thursday, December 9, 2004

Two new Cabir variants found Posted by Jarno @ 14:04 GMT

Today we got a sample that contains two new variants of Cabir worm.

The new variants are Cabir.C and Cabir.D. The variants are minor so called hex-edit variants, which means that while they show different text and use different filename they are otherwise identical to Cabir.B

The Cabir.C uses filename MYTITI.SIS and shows text MYTITI.

The Cabir.D uses filename [YUAN].SIS and shows text [YUAN].

Both Cabir samples arrived in Symbian installation file named "Norton AntiVirus 2004 Professional.sis",
which contains Cabir.B, Cabir.C and Cabir.D. We have named the file as SymbOS/Cabir.Dropper

F-Secure Mobile Anti-Virus detects the Cabir.C and Cabir.D variants with up to date databases and already provided detection for the Cabir.Dropper

Tomorrow I will go to RF shielded lab, and do more detailed analysis on the new variants.