More details are emerging about what may be the first mobile phone worm.
Kaspersky Labs Ltd., a Moscow antivirus vendor, reported the find on Monday, and short news reports began appearing thereafter. Now, Network Associates Inc.’s McAfee division has posted a profile of the worm, dubbed Cabir — although the screen display is “Caribe”.
McAfee’s profile rates the worm as a low risk for both home and corporate users. Network World reported on potential mobile phone threats last fall.
The worm was written for mobile phones running the Symbian operating system, and uses a Bluetooth wireless connection to access a device. Specifically the worm could run on any Series 60 phone — from Siemens AG, Nokia Corp. and others that have Symbian OS 6.1 or higher. McAfee has confirmed propagation on the Nokia 6600 and 3650 devices.
The F-Secure Corp. Weblog confirms that the worm seems to infect any Series 60 phones regardless of manufacturer.
There is no malicious payload, though the worm copies three files into a hidden directory. It displays “Caribe” or “Caribe-VZ-29A” on the screen, the latter a reference to a virus writer using the name Vallez, a member of the 29a group of virus writers. According to the Kaspersky Labs site, the group is responsible for the Cap, Stream, Donut, and Rugrat viruses. Each is a first of its kind: Donut was the first virus for .Net, Rugrat the first Win64 virus.
However, Cabir is not completely harmless: it seeks to transmit itself to any other Bluetooth-equipped Symbian device within range, and the “worm activity seriously reduces battery life,” McAfee reports.
The company rates the risk low because Bluetooth has to be deliberately activated by a mobile phone user, and accepting the Caribe package requires pressing a button before the files can be loaded into the receiving phone.