NEWS FROM THE LAB - Monday, October 24, 2005

Cabir.AA and other mobile news Posted by Jarno @ 14:09 GMT

Today we got a sample of new Cabir variant SymbOS/Cabir.AA. Unlike most other Cabir variants, Cabir.AA is not hex edited minor variant of Cabir.A or Cabir.B. Instead, this variant has been recompiled from source code of original Cabir (which has been floating around in the underground). Otherwise Cabir.AA is very similar to other Cabir variants with the exception that it shows a scary bitmap image when the worm starts.

We shot a video in our RF lab of a phone getting infected with Cabir.AA. The video shows two phones being infected, one infected over USB cable and another over Bluetooth from the infected phone. In this video we also have one phone that has F-Secure Mobile Anti-Virus installed, which shows the Anti-Virus detecting and blocking the Cabir, so that user cannot get infected even if he would accept the Blutooth file transfer from infected phone.

Cabir_AA.wmv (30293k file)

Smaller video which has unneccessary waiting removed
cabir_aa_small.wmv (13285k file)

We also have news on Commwarrior front.

In the past couple weeks, we have seen increasing amount of stories in media about people who have had their phones infected with Commwarrior.A or Commwarrior.B. In many cases Commwarrior infection has caused large phone bills due to the amount of MMS messages it sends.

Many new operators have posted warnings about the Commwarrior spreading among users, for example recent warning from TDC mobile.

We also have updated our free F-Commwarrior tool so that now it can also handle Commwarrior.C. Commwarrior.C has quite efficient self protection, and disinfecting it without special tool is rather difficult for normal user.