Just what we don't need: the first known worm to target smart phones, even if the worm itself is said to present little enough threat. But antivirus companies are warning that Cabir, the name given by a Russian antivirus maker, could prove to be the first of a new breed of cyberworms.
"I don't think [Cabir itself] will spread," Network Associates vice president for antivirus emergency response Vincent Gullotto told ZDNet News, adding he believed the group who made the worm has a thing for "concept viruses" and "probably just wanted to show that it could work."
In fact, according to ZDNet, Cabir's makers sent a copy of the worm to a number of antivirus companies. The tech news site said the worm doesn't do anything other than spread – using the Bluetooth short-range wireless feature of those smart phones running the Symbian operating system to detect other Symbian phones, transferring to new hosts by way of a package file – and hasn't yet been spotted among the public's phones.
Gullotto said other worm and virus writers might use Cabir as a launching pad for their own development. Kaspersky and other antivirus makers so far have found no malicious payload in this apparent prototype.
"EPOC.Cabir is a proof-of-concept worm that replicates on Nokia Series 60 phones," said an advisory from Symantec, the makers of Norton Antivirus. "It repeatedly sends itself to the first Bluetooth-enabled device that it can find, regardless of the type of device (i.e., even a Bluetooth-enabled printer will be attacked if it is within range).
"The worm spreads as a .SIS file, which is automatically installed into the 'APPS' directory when the receiver accepts the transmission," the Symantec advisory continued. "Upon execution, it will display a message then copy itself to a directory that is not visible by default. The worm runs from this directory whenever the phone is rebooted, so it continues to work even if the files are deleted from the APPS directory."
Symantec said it has detected 49 Cabir infections through this writing, with the worm assessed as low distribution, low if any damage, and easy containment.
Kaspersky said Cabir was created by a writer using the computer name Vallez, a pseudonym the company believes to be used by the 29a group of international virus writers.
"The group specializes in creating proof-of-concept viruses," Kaspersky said in a Cabir advisory. "Among the group's creations are Cap, the first macro virus to cause a global epidemic; Stream, the first virus for additional NTFS streams; Donut, the first virus for .NET and Rugrat, the first Win64 virus."
