The story of the Cabir worm started with a press release from Russian anti-virus firm Kaspersky Lab on Monday 14th June. The original posting (which has now been updated) make several claims which gave the impression that Cabir was an active worm “detected” by the company that disguised its self as “part of the telephone security software” and under this guise “penetrates the system.” The report did not explain that Cabir, actually called Caribe by the writer, to infect a phone needed the target phone to have Bluetooth in discoverable mode and for the user of that phone to accept the transmission, open and install the file despite the user being given several warnings. At best the report was incomplete at worst it was simply wrong, however it did not take much for the story to snowball from there.

One of Kaspersky Labs claims did not last long. The idea that the worm had been detected was soon dismissed with the first news stories noting that the worm had actually been delivered to a number of anti-virus software vendors and that no “wild” infections had been identified. However even as late a Friday of last week geek.com was still reporting that Cabir had been “discovered in the wild” and “spreads prolifically.” Worse still “this means that if you have a vulnerable phone, you need only walk near someone else with an infected phone to become infected yourself.”

The lack of early information on the transmission mechanism lead to several stories, such as the one on BruneiDirect.Com which stated that the worm “installs itself automatically on the system”, suggesting that like PC based worms there was no warning to the user that the worm was attacking their phone.

Similarly ZDNet reported that “the phone that received the program installs the application, thus infecting itself” again implying that the process was transparent. Even worse “this worm, however, mostly takes advantage of the amount of trust the Symbian operating system invests in other Symbian-based smart phones" which is odd given that Series 60 devices ask whether the user wants to accept a download (unless they have paired and authorized the other device).

Another interesting misconception, which again originated in the original Kaspersky posting, was that the virus “disguised as part of the phone's own security software” this time from the Gulf News which GSMBox.co.uk took one step further noting that the worm took “advantage of a vulnerable part of the telephone’s security software.”

Again the original report also had InfoSyncWorld.com we found that the “worm modifies the Symbian operating system so that Cabir is started each time the phone is turned on” which picks up Kaspersky Labs original assertion although it is simply using the operating system feature to launch applications at boot.

But it was not all bad and we must give credit to ZDNet in that they corrected their early errors in an updated report which included perhaps the most measured comment on the whole affair from Kevin Hogan, senior manager for security company Symantec who said “It is not relying on a vulnerability in the operating system; it is relying on the underlying vulnerability of the person who is using.” ZDNet also picked up on the fact that in the not too distant future similar attempts to create malicious code would be “stymied” by eweek.com.

It is interesting that in the first instance none of the household name virus companies took any notice of Cabir, their alert postings followed the claims by Kaspersky Lab by some little while. Would the story have generated the same level of interest if Kaspersky Labs had included full details of the worms transmission mechanism and got their other facts right. We believe that it would not.

As an aside one of the most interesting leaps in logic, but not directly about Cabir, was made by enterpriseITplannet.com who obviously figured that they had not seem many Symbian OS phone nor many Bluetooth phones either so concluded “the worm needs a phone based on the Symbian OS for mobile gadgets and a Bluetooth radio to work. Not all have either/or, much less a combination of both.”

For all the facts on Cabir see http://www.symbian.com/press-office/2004/pr040618.html.