Cabir mobile phone virus spreads to France, Japan

Mobile phones infected with the Cabir virus have turned up in Japan and France, according to antivirus software company F-Secure of Helsinki.

The new infections bring the number of countries where Cabir infections have been reported to 16. But Cabir is still a slow-spreading and relatively rare virus that is unlikely to affect most mobile phone users, said Mikko Hyppönen, manager of antivirus research at F-Secure.

An F-Secure office in Japan reported that a Japanese visitor to Hong Kong in February had a Vodafone Group 702NK mobile phone that was infected with Cabir. The person returned to Tokyo with the infected phone, then brought it to a repair shop after noticing a marked decrease in battery life, according to an entry posted on F-Secure's Web page.

Also in February, a visitor to the 3GSM World Congress in Cannes reported another Cabir infection, according to F-Secure, which sells an antivirus software product for mobile devices and relies on reports from users who have been infected to track Cabir's spread, the company said.

Cabir spreads on phones that run the Symbian operating system and are equipped with Bluetooth wireless connections, including Series 60 phones from a number of manufacturers, such as Siemens, Nokia, and others. The virus first appeared last June as a "proof of concept" released by virus writing group 29a.

Cabir does not install malicious software on machines it infects, but does modify the configuration of infected phones, copy itself into hidden directories on the phones and display "Caribe" or "Caribe-VZ-29A" on the screen, F-Secure said.

In August 2004 the first Cabir infections were first reported in the Philippines. Since then, the virus spread from to Singapore, the United Arab Emirates, China, India, and 12 other countries. The first Cabir infections in the U.S. were reported in February.

Travellers who contract Cabir in a foreign country, then return home with it on their phone are responsible for the virus' transcontinental spread, Hyppönen said.

Despite its global reach, Cabir is ineffective at spreading, especially when compared to its virulent cousins that spread using e-mail or from machine to machine on the Internet, Hyppönen said.

"The fact that we're seeing these infections doesn't mean much. Cabir is a lousy spreader compared to any e-mail or network virus. This virus has been around nine months and has spread to just 16 countries. Any e-mail worm could do that in 10 minutes," he said.

To get infected, mobile phones must be running the correct version of the Symbian operating system, have the Bluetooth wireless communications feature enabled and set to listen for other Bluetooth devices, and be within broadcast range of a phone infected with Cabir. Even then, the phone's owner must click multiple times to download the Cabir file and install it on their phone, according to F-Secure.

In most cases, those who have had phones infected with Cabir recall receiving a number of error and warning messages in the weeks before their phone was diagnosed. In most cases, the users clicked on those messages until they stopped appearing, basically granting permission for the virus to be installed. The most noticeable symptom of infection is a marked reduction in battery life, from days to as little as 30 minutes, which renders the phone useless, Hyppönen said.

However, Cabir also proves that mobile devices are an effective platform for distributing malicious software. A virus that spread through mobile devices using the popular SMS (Short Message System) technology or used a phone's address book to locate victims could spread much more quickly than Cabir, he said.

Unlike Microsoft and other operating system providers, most mobile phone manufacturers do not have a system for quickly distributing software updates to their customers. Instead, those infected with mobile phone viruses usually have to bring their phone into a licensed repair shop to have the software update installed, he said.