Threat Description

Bluetooth-Worm:SymbOS/Commwarrior.B

Details

Aliases:SymbOS/Commwarrior.B
Category:Malware
Type:Bluetooth-Worm
Platform:SymbOS

Summary



A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.



Removal



Automatic Disinfection

F-Secure Mobile Anti-Virus will detect both Commwarrior variants and delete the worm components.

Note

After disinfecting the phone, remove the remaining empty directories by going to Application Manager and uninstalling Commwarrior's SIS file.

Alternative Installation of F-Secure Mobile Anti-Virus and Disinfection

If files cannot be installed over Bluetooth; F-Secure Mobile Anti-Virus can also be downloaded directly to the phone:

  • 1. Open web browser on the phone
  • 2. Go to http://mobile.f-secure.com
  • 3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
  • 4. Download the file and select open after download
  • 5. Install F-Secure Mobile Anti-Virus
  • 6. Go to applications menu and start Anti-Virus
  • 7. Activate Anti-Virus and scan all files
  • 8. Reboot your phone to kill Commwarrior process that is still running


Technical Details



Bluetooth-Worm:SymbOS/Commwarrior.B operates on Symbian Series 60 devices and is capable of spreading both over both the Bluetooth and Multimedia Messages (MMS) networks.

Commwarrior.B is closely related to variant Commwarrior.A. The only significant difference is that unlike Commwarrior.A, Commwarrior.B does not check system clock on deciding which replication method to use.

Installation

Commwarrior.B is delivered in an infected SIS file. On receiving the file, the user is prompted to install the file, as seen in the screenshot below:

When the SIS file is installed, the installer copies the worm executables to the following locations:

  • \system\apps\CommWarrior\commwarrior.exe
  • \system\apps\CommWarrior\commrec.mdl

When Commwarrior.exe is executed it copies the following files:

  • \system\updates\commrec.mdl
  • \system\updates\commwarrior.exe

And rebuilds its SIS file to:

  • \system\updates\commw.sis

After recreating the SIS file, the worm starts spreading itself by both Bluetooth and MMS.

Propagation (Bluetooth)

Once Commwarrior has infected a phone it starts searching for other Bluetooth-discoverable devices. If a found device goes out of range or rejects file transfer, the Commwarrior will search for another target.

This methodology differentiates Commwarrior worms from Bluetooth-Worm:SymbOS/Cabir worms, which lock onto only one phone. Depending on the variant, the Cabir worm may stay locked onto the first targeted device even if it has moved out of range, effectively ignoring all other potential targets.

Once a target is found, Commwarrior.B then sends an infected SIS file to all found devices. The SIS files sent are named with random file names, so that users cannot be warned to avoid files with any given name. Some possible names are displayed in the screenshot below:

The file contains the worm main executable commwarrior.exe,its boot component commrec.mdl and autostart settings that will automatically execute commwarrior.exe after the SIS file is installed.

Unlike Commwarrior.A, Commwarrior.B does not check the system time to determine when to spread by Bluetooth.

Propagation (MMS)

Unlike Commwarrior.A, Commwarrior.B does not check the system to determine when to spread using MMS.

Commwarrior replicates by sending MMS messages to all numbers listed in the device's contacts book. As the name implies, MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.

The MMS messages contain variable text messages and Commwarrior SIS file with filename commw.sis. Unlike the SIS file sent via Bluetooth, Commwarrior.B uses a constant file name when spreading by MMS. Otherwise, the SIS file is identical to the one sent via Bluetooth.

Some sample texts used in the MMS messages can be seen below:

The Commwarrior uses the following texts in MMS spreading:

  • MatrixRemover
  • Matrix has you. Remove matrix!
  • 3DGame
  • 3DGame from me. It is FREE !
  • MS-DOS
  • MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
  • PocketPCemu
  • PocketPC *REAL* emulator for Symbvian OS! Nokia only.
  • Nokia ringtoner
  • Nokia RingtoneManager for all models.
  • Security update #12
  • Significant security update. See www.symbian.com
  • Display driver
  • Real True Color mobile display driver!
  • Audio driver
  • Live3D driver with polyphonic virtual speakers!
  • Symbian security update
  • See security news at www.symbian.com
  • SymbianOS update
  • OS service pack #1 from Symbian inc.
  • Happy Birthday!
  • Happy Birthday! It is present for you!
  • Free SEX!
  • Free *SEX* software for you!
  • Virtual SEX
  • Virtual SEX mobile engine from Russian hackers!
  • Porno images
  • Porno images collection with nice viewer!
  • Internet Accelerator
  • Internet accelerator, SSL security update #7.
  • WWW Cracker
  • Helps to *CRACK* WWW sites like hotmail.com
  • Internet Cracker
  • It is *EASY* to *CRACK* provider accounts!
  • PowerSave Inspector
  • Save you battery and *MONEY*!
  • 3DNow!
  • 3DNow!(tm) mobile emulator for *GAMES*.
  • Desktop manager
  • Official Symbian desctop manager.
  • CheckDisk
  • *FREE* CheckDisk for SymbianOS released!MobiComm
  • Norton AntiVirus
  • Released now for mobile, install it!
  • Dr.Web
  • New Dr.Web antivirus for Symbian OS. Try it!





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Keep your mobile device protected

F-Secure Mobile Security will keep your mobile device protected on the go and enable you to find it in case you lose it

Learn More