Overview, click for info.

- Cabir
Cabir.B
Cabir.C
Cabir.D
Cabir.Dropper
Cabir.E
Cabir.F
Cabir.G
Cabir.H
Cabir.I
Cabir.J
Cabir.K
Cabir.L
Cabir.M
- Dutts
- Lasco.A
- MgDropper
- Mosquito
- Skulls
Skulls.B
Skulls.C
Skulls.D



Mobile virus information

Read about all the different mobile viruses, what they do to your phone, how to remove from them from it, which ones are the most evil etc.
We provide you with up-to-date information about them all! Chose one from the menu on the left or scroll down to start reading.

Edit: This part of our page is still in the beta phase, so please be patient if you experience problems with this page :-)



CABIR
The Cabir virus infects SYMBIAN phones using the serie 60 platform only!
It spreads using the bluetooth function in the phones and shows itself as "cabir.sis" in the inbox folder, which contains the virus!
If the user chooses to install the application in curiosity the worm instantly starts to look for other units to infect via bluetooth.
The Cabir worm will try to infect only ONE other bluetooth unit per reboot, if it succeeds sending the cabir.sis file to it, it will lock to that phone and then not try to send the file anymore. When phone is turned off/on it will try to infect one more and so on.

Cabir virus can ONLY infect phones which are in bluetooth "discoverable mode"!

To remove the virus, install a file manager application and remove the following files:

c:\system\apps\caribe\caribe.rsc
c:\system\apps\caribe\caribe.app
c:\system\apps\caribe\flo.mdl
c:\system\recogs\flo.mdl
c:\system\symbiansecuredata\caribesecuritymanager\caribe.app
c:\system\symbiansecuredata\caribesecuritymanager\caribe.rsc


Cabir.B
Cabir.B is a variant of the original Cabir, the only difference is that the Cabir.B displays a different text on the start dialog when worm starts the first time or phone reboots.

The original Cabir displays "Caribe-VZ/29a" while Cabir.B only displays "Caribe".


Cabir.C
Cabir.C is a variant of the Cabir.B. The only differences are that the Cabir.C displays different text on the start up dialog when the worm starts and that the Cabir.C spreads as MYTITI.SIS instead of Cabir.SIS.

Cabir.C displays "Mytiti" where Cabir.B displays "Caribe".


Cabir.D
Cabir.D is a variant of Cabir.B the differences are that the Cabir.D displays a different text on the start up dialog when the worm starts and that the Cabir.D spreads as [YUAN].SIS instead of Cabir.SIS.


Cabir.Dropper
Cabir.Dropper is a Symbian installation file that installs Cabir.B, Cabir.C and Cabir.D on the device and disables the Bluetooth control application. The original version of Cabir.Dropper is named Norton AntiVirus 2004 Professional.sis

The Cabir.Dropper installs different Cabir variants into several different places on the file system. Some of the installed Cabirs replace common third party applications so if the user has one of those applications installed on his system it gets replaced with Cabir.D and the app.'s icon in the menu will go blank.
If a user clicks on one of the replaced icons in the menu the Cabir.D that has replaced that application will start and try to spread to other bluetooth devices. If Cabir.D starts it will spread as Cabir.D ([YUAN].SIS) without other Cabir variants or Cabir.Dropper.

The Cabir.Dropper also installs an autostart component that tries to start Cabir.D when the system reboots, but it fails as the autostart component points into directory that is not installed on the device.


Cabir.E
Cabir.E is another variant of the Cabir.B worm. The differences are that the Cabir.E displays a different text on the start up dialog when the worm starts and that the Cabir.E spreads as Ni&Ai-.SIS instead of Cabir.SIS.

Cabir.E displays "Ni&Ai-" where Cabir.B displays "Caribe".


Cabir.F
Cabir.F is a variant of Cabir.B. The differences are that the Cabir.F displays a different text on the start up screen when the worm starts and that the Cabir.F spreads as Tee222.SIS instead of Cabir.SIS.

Cabir.F displays "Tee222" where Cabir.B displays "Caribe"


Cabir.G
Cabir.G is a variant of the Cabir.B worm. The only difference is that Cabir.G Spreads in SEXXXY.SIS while Cabir.B uses Caribe.sis


Cabir.H
The Cabir.H worm is a recreation of the original Cabir, the difference is that Cabir.H has fixed replication routine and is capable of spreading faster.

Cabir.H replicates over bluetooth and arrives to phones inbox as the velasco.sis file that contains the worm. When a user clicks on the velasco.sis and chooses to install the velasco.sis the worm activates and starts looking for new devices to infect over bluetooth.

When Cabir worm finds another bluetooth device it will start sending the infected SIS file to it, as long as the target phone is in range. Unlike earlier versions of Cabir, the Cabir.H is capable of finding a new target after the first one has gone out of range. And the Cabir.H will spread much faster than previous variants.


Cabir.I
Cabir.I is a variant of the Cabir.H being functionally identical to Cabir.H with the exception that the I version is re-done and uses a different binary.


Cabir.J
Another re-coded version, like Cabir.I


Cabir.K
Another re-coded version, like Cabir.I


Cabir.L
Cabir.L is another version of the Cabir.B worm. The differences are that the Cabir.L displays a different text on the start up screen when the worm starts and that the Cabir.L spreads as Skulls.SIS instead of Cabir.SIS.

Cabir.L displays "Skulls" while Cabir.B displays "Caribe".


Cabir.M
Cabir.M is a variant of the Cabir.B worm. The only difference is that the Cabir.M displays a different text on the start up screen when the worm starts and that the Cabir.M spreads as free$8.SIS instead of Cabir.SIS.

Cabir.M displays "free$8" while Cabir.B displays "Caribe".


DUTTS
The Dutts virus only infects Windows CE devices.
Its a "proof of concept" virus, asking for persmission to infect the PDA. Not considered dangerous.

When the virus is launched it will prompt the user with "Dear User, am I allowed to spread?" - Just type NO, and you dont have to think anymore about it :)

Dutts infects files more than 4096 bytes and only in the "My Device" root. Therefor its easy to remove yourself with a file manager. Just delete all the files there.


LASCO.A Lasco.A is a worm that only affects cellular phones that use the operating system Symbian. It aims Nokia series 60 mobile phones, but other devices based in the same software could also be affected.

Lasco.A is very similar to the worm Cabir.A. Their main difference is that, in addition to spread via Bluetooth, Lasco.A also inserts itself in all the SIS files it finds in the affected phone, so that when a user runs a modified installer, it also installs this worm.

However, keep in mind that Lasco.A needs the user accept in order to be run on the cellphone. Before the file is installed, the user receives a security warning.

Lasco.A creates the following files in the cellphone:

- velasco.rsc, velasco.app and marcos.mdl in the directory c:\system\apps\velasco.
- velasco.app, velasco.sis and velasco.rsc in the directory c:\system\symbiansecuredata\velasco.
- marcos.mdl in the directory c:\system\recogs.



MGDROPPER
This virus only infects Symbian devices.
It goes under the name of METAL Gear.sis (Like the famous game Metal Gear Solid) and includes two things.

First thing, a trojan called Metal Gear.a which has the job to disable specific installed anti-virus and file browsing applications. After that is done, it installs a version of the already known Cabir worm.
This Cabir worm now has the job to spread the second file included in the .sis file, called SEXXXY.a. If SEXXXY.a gets installed on a phone it will spread to other phones who are in discoverable mode and if installed it will disable the Symbian application button on the phone.

In this way it can prevent the user to install any application that can actually help removing the virus!


MOSQUITO
The virus infects Symbian phones!
"Mosquito" is a game for symbian phones you can buy, but on P2P services there is a cracked version of it.. which has the virus in it!

The Mosquito virus is an extremely evil one of its kind. When playing the cracked game, text messages is continuously being send from you phone to numbers in United Kingdom, Germany, the Netherlands and Switzerland!

It does fast get REALLY expensive to play the game, better to buy it original then ;)
To get rid of the virus .. DONT play the game! If you know its the cracked version, just delete it. There is nothing dangerous in playing the original game.


SKULLS
Infects Symbian phones!
This virus replaces all the icons on your phone with "skulls" and deactivates all menu's on your phone. Only incomming calls will work on infected phones.

On the internet and P2P services Skulls is called "Extended Theme Manager" se be aware of that name!
To remove the virus you will need to HARD RESET your phone.


Skulls.B
This virus infects symbian phones and does the same as "Skulls".
The only (And big!) difference is, that it spreads like the Cabir worm by bluetooth, making it able to spread by itself without the users permission to install it.

To avoid this virus but you bluetooth phone in "Hidden" mode so the Cabir virus cant find it. If you have been infected you will need to hard reset your phone to get rid of it, just like normal "Skulls".


Skulls.C
Skulls.C is a variant of Skulls.A, which has the same functions asthe Skulls.A but uses different files.

Skulls.C is a SIS file trojan that replaces the system applications with non-functional applications, drops Cabir.F worm in to the phone and disables third party applications that could be used to disinfect it.
The Cabir.F dropped by Skulls.C does not activate automatically, and will not activate on reboot. The only way the dropped Cabir worm can activate is if user goes to the icon of the dropped Cabir file and run it from there.

The Original Skulls.C SIS file is named "Skull.sis". Unlike Skulls.A, the Skulls.C variant does not show any pop-up messages during install (except the "Installation security warning - unable to verify supplier" message shown by the operating system).

Like Skulls.A the Skulls.C replaces the application icons with skull icon, this time so that each replaced application has caption "Skulls"

If Skulls.C is installed only the calling from the phone and answering calls works. All functions which need some system application, such as SMS and MMS, web browsing and camera will no longer function.


Skulls.D
Skulls.D is a SIS file, that pretends to be Macromedia Flash player. Skulls.D drops the Cabir.M worm in the phone, disables some system applications and third party applications needed to disinfect it and displays animation that shows a flashing skull picture.

Unlike earlier Skulls trojans the Skulls.D disables only a few phone system applications. The only system applications that are disabled, are the ones that are needed to disinfect it. The third party applications disabled by Skulls, are some that users would need to disinfect his phone.
However for some reason Skulls.D copies the replacement files to the device memory card.
The Cabir.M dropped by Skulls.C does not activate automatically, but will activate on reboot.

The Skulls.D also drops other application that will activate on reboot, this application displays a flashing Skull picture on the background, no matter what application the user is trying to use.


All this information is a collection from various sources. Please visit:

F-Secure.com, Panda Antivirus, Kaspersky.com and My-Etrust.com.


www.seunlock.dk Copyright Wickings Network 2002-2005 All rights reserved!