Nokia Series 60 Worm

EPOC.Cabir is a proof-of-concept worm that replicates on Nokia Series 60 phones. It repeatedly sends itself to the first Bluetooth-enabled device that it can find, regardless of the type of device (ie even a Bluetooth-enabled printer will be attacked if it is within range).

The worm spreads as a .SIS file, which is automatically installed into the “APPS” directory when the receiver accepts the transmission. Upon execution, it will display a message then copy itself to a directory that is not visible by default. The worm runs from this directory whenever the phone is rebooted, so it continues to work even if the files are deleted from the APPS directory.

Once the worm is running, it will constantly search for Bluetooth-enabled devices, and send itself to the first device that it finds. There is no payload, apart from the vastly shortened battery life caused by the constant scanning for Bluetooth-enabled devices.

Symantec Link