Caribe
Caribe
Type Network worm
Creator Vallez
Date Discovered 2004.06.14
Place of Origin France
Source Language C++
Platform SymbianOS
File Type(s) .sis, .app
Infection Length 15,092 bytes
Reported Costs

Caribe is the first worm capable of spreading by Bluetooth as well as the first Symbian worm. Its creator is Vallez of the famous virus coding group 29A.

Behavior

Caribe arrives on a system from a Bluetooth connection. Once the user has accepted the connection downloaded the worm, the worm will ask if the user wants to run it.

When executed, Caribe displays a message on the screen saying "Caribe - VZ/29a" or simply "Caribe". It creates a folder in the \system\apps directory named caribe and installs the files caribe.app, flo.mdl and caribe.rsc. It also creates the directory caribesecuritymanager in the \system\symbiansecuredata directory. When caribe.app is executed, it installs the files caribe.app, caribe.rsc and caribe.sis. It also places the file flo.mdl in the \system\recogs directory.

Every time the phone is switched on, Caribe will search for active Bluetooth connections. It sends itself to the first connection shown. Caribe will not look for another phone to infect until the phone is turned off then on again. It will spread even if the user disables Bluetooth. The worm's constant scanning for connections may cause the battery to drain rapidly.

Origin

Caribe was created by Spanish virus coder Vallez of the group 29A. Other interesting self-replicators he has created inculde Cannabyte and Ladymarian. It was published in the 8th and final issue of 29A magazine. An unidentified man was arrested in Spain for creating several variants of the worm, along with Commwarrior. It is unknown if this was Vallez.

Effects

Dozens of phones at the Athletic's World Championship in Helsinki in early August 2005 were infected with Caribe. Security officials attributed this to the fact that so many people were crowded into a stadium, all in close proximity to each other. In addition, it was in Finland, the home of Nokia, the largest distributor of the Symbian operating system.

The worm infected 115,000 phones in Spain. A man was arrested in Valencia, Spain in June 2007 for the worm. It is not known if this was Vallez, as the man was never identified. The man was known to have created several different variants of Caribe and Commwarrior.

Sources

Kaspersky Lab. Securelist, Worm.SymbOS.Cabir.a. 2004.06.15

Alexander Gostev. Kaspersky Blog, Mobile Malware Evolution: An Overview, Part 1. 2006.09.29

F-Secure, Bluetooth-Worm:SymbOS/Cabir.

McAfee Antivirus, SymbOS/Cabir. 2004.06.15

Gregg Keizer. Computerworld UK, Police seize 'virus writer' after 115,000 phones infected. 2007.06.26

John Leyden. The Register, Cabir mobile worm gives track fans the run around. 2005.08.12

48 Bits, 48bits interviews : Vallez/29A. 2008.04.22

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License