Today we got a sample that contains two new variants of Cabir worm.</p><p align="justify">The new variants are Cabir.C and Cabir.D. The variants are minor so called hex-edit variants, which means that while they show different text and use different filename they are otherwise identical to Cabir.B</p><p align="justify">The Cabir.C uses filename MYTITI.SIS and shows text MYTITI.</p><p align="justify">The Cabir.D uses filename [YUAN].SIS and shows text [YUAN].</p><p align="justify">Both Cabir samples arrived in Symbian installation file named "Norton AntiVirus 2004 Professional.sis",
which contains Cabir.B, Cabir.C and Cabir.D. We have named the file as SymbOS/Cabir.Dropper</p><p align="justify">F-Secure Mobile Anti-Virus detects the Cabir.C and Cabir.D variants with up to date databases and already provided detection for the Cabir.Dropper </p><p align="justify">Tomorrow I will go to RF shielded lab, and do more detailed analysis on the new variants.

On 09/12/04 At 02:04 PM</p>

Read more...