Home > Articles > Security > Network Security

  • Print
  • + Share This


Cabir is the first known virus/worm that uses Bluetooth as an infector. While the worm itself is basically harmless, it has created a whirlwind of discussion and theories about the end of the virus-free mobile phone era. Fortunately, this proof-of-concept code was supposedly only released to antivirus and mobile device vendors by 29A Labs, a virus-creation team that researches virus-creation techniques. However, when an antivirus vendor with a legitimate research interest approached 29A, "all they gave us was the finger."


As a humorous side note, 29A, converted from hex to decimal, becomes 666.

Regardless of intent, the author of Cabir is a new member at 29A Labs. In addition to writing eye-opening proof-of-concept worms, ValleZ also has written a very intriguing and thought-provoking article called "Genetic Programming in Virus," in which he describes the theoretical process behind creating a male and female virus that interact to create unique offspring capable of creating offspring of their own. If this type of virus ever is created, 29A Labs will be making more headlines!

Cabir is a worm/Trojan by definition. Once a device is infected, it scans the airwaves for other Bluetooth-enabled devices until it finds one (and only one). It then tries to send the new target device a copy of the virus. The victim is then prompted with a dialog box asking whether to accept the incoming file. If the victim accepts, the file transfers and another prompt is presented warning the victim that no supplier could be verified. If the victim hits the Yes key, the device will prompt the victim one final time about whether to install the program. At this point, the device is infected.

Once infected, Bluetooth is enabled on the device, in case the file is downloaded or transferred via an alternate route. Then a splash screen is presented on the victim's device with the message "Caribe-VZ/29a." Finally, the infected device starts scanning for any new Bluetooth-enabled devices that it can infect.


Cabir will transfer the file only once. In addition, only Nokia Series 60 phones appear to be vulnerable, at least according to an internal memo written by Symbian. Finally, this worm requires user interaction three separate times, which means that it would take a naïve user with a complete lack of virus knowledge for Cabir to spread.

In summary, Cabir represents a new infector. Because the virus exploits no vulnerability on the target device, Cabir is only a threat to uneducated users. Despite this limitation, the concept of using Bluetooth as a vector for virus/worm propagation is bound to show up in other viruses. However, if you follow the PC rule "Don't open anything from anyone unless you're expecting it," becoming a victim of this Bluetooth virus is not something you have to worry about.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.