WPW_Feedbot
12-14-2004, 10:50 AM
http://www.f-secure.com/weblog/fsc_weblog_small.gif (http://www.f-secure.com/weblog/)
Today we got a sample that contains two new variants of Cabir (http://www.f-secure.com/v-descs/cabir.shtml) worm.</p><p align="justify">The new variants are Cabir.C (http://www.f-secure.com/v-descs/cabir_c.shtml) and Cabir.D (http://www.f-secure.com/v-descs/cabir_d.shtml). The variants are minor so called hex-edit variants, which means that while they show different text and use different filename they are otherwise identical to Cabir.B (http://www.f-secure.com/v-descs/cabir_b.shtml)</p><p align="justify">The Cabir.C uses filename MYTITI.SIS and shows text MYTITI.</p><p align="justify">The Cabir.D uses filename [YUAN].SIS and shows text [YUAN].</p><p align="justify">Both Cabir samples arrived in Symbian installation file named "Norton AntiVirus 2004 Professional.sis",
which contains Cabir.B, Cabir.C and Cabir.D. We have named the file as SymbOS/Cabir.Dropper (http://www.f-secure.com/v-descs/cabir_dropper.shtml)</p><p align="justify">F-Secure Mobile Anti-Virus (http://www.f-secure.com/estore/avmobile.shtml) detects the Cabir.C and Cabir.D variants with up to date databases and already provided detection for the Cabir.Dropper </p><p align="justify">Tomorrow I will go to RF shielded lab, and do more detailed analysis on the new variants.
On 09/12/04 At 02:04 PM</p>
Read more... (http://www.f-secure.com/weblog/#00000385)
Today we got a sample that contains two new variants of Cabir (http://www.f-secure.com/v-descs/cabir.shtml) worm.</p><p align="justify">The new variants are Cabir.C (http://www.f-secure.com/v-descs/cabir_c.shtml) and Cabir.D (http://www.f-secure.com/v-descs/cabir_d.shtml). The variants are minor so called hex-edit variants, which means that while they show different text and use different filename they are otherwise identical to Cabir.B (http://www.f-secure.com/v-descs/cabir_b.shtml)</p><p align="justify">The Cabir.C uses filename MYTITI.SIS and shows text MYTITI.</p><p align="justify">The Cabir.D uses filename [YUAN].SIS and shows text [YUAN].</p><p align="justify">Both Cabir samples arrived in Symbian installation file named "Norton AntiVirus 2004 Professional.sis",
which contains Cabir.B, Cabir.C and Cabir.D. We have named the file as SymbOS/Cabir.Dropper (http://www.f-secure.com/v-descs/cabir_dropper.shtml)</p><p align="justify">F-Secure Mobile Anti-Virus (http://www.f-secure.com/estore/avmobile.shtml) detects the Cabir.C and Cabir.D variants with up to date databases and already provided detection for the Cabir.Dropper </p><p align="justify">Tomorrow I will go to RF shielded lab, and do more detailed analysis on the new variants.
On 09/12/04 At 02:04 PM</p>
Read more... (http://www.f-secure.com/weblog/#00000385)