NEWS FROM THE LAB - Monday, April 4, 2005

Description of Mabir.A published Posted by Jarno @ 14:08 GMT

Detailed description of Mabir.A is now published.

Basically the Mabir.A is Cabir with added MMS functionality, both are written by the same author and have very similar code. So it seems that Mabir.A is based on Cabir source code.

The Mabir.A spreads using bluetooth using the same routine as early variants of Cabir, when Mabir.A activates it will search for the first bluetooth phone it finds, and start sending copies of itself to that phone. If the phone Mabir finds goes out of range, the Mabir.A still seems to be locked on that.

The MMS spreading function of Mabir.A uses a new social engineering technique. Instead of just reading all phone numbers from the local address book, the Mabir.A listens for any SMS or MMS messages that arrive to the phone. And when a message arrives, the Mabir sends itself as MMS message to the sending phone number. Thus posing as a reply to whatever message was sent to the infected phone.

The F-Secure Mobile Anti-Virus has now exact detection for the Mabir.A, and was able to detect it even before we got the sample using generic detection.