F-Secure
Tools
Commwarrior.A
| Name : | Commwarrior.A |
| Category: | Virus |
| Type: | Worm |
| Platform: | SymbOS |
Summary
Commwarrior is a worm that operates on Symbian Series 60 devices. The worm is capable of spreading over both Bluetooth and MMS.
Phones infected with Commwarrior will start searching for other devices within Bluetooth wireless range and will attempt to send infected SIS files to the discovered devices.
The SIS files that Commwarrior transmits are randomly named so that phone users cannot be warned to avoid files with any particular given name.
In addition to using Bluetooth, Commwarrior will also read the user's local address book for phone numbers and will then start sending MMS messages containing Commwarrior.
Phones infected with Commwarrior will start searching for other devices within Bluetooth wireless range and will attempt to send infected SIS files to the discovered devices.
The SIS files that Commwarrior transmits are randomly named so that phone users cannot be warned to avoid files with any particular given name.
In addition to using Bluetooth, Commwarrior will also read the user's local address book for phone numbers and will then start sending MMS messages containing Commwarrior.
Disinfection
Disinfection with F-Secure Mobile Anti-Virus
F-Secure Mobile Anti-Virus detects Commwarrior and will delete the worm's components.
After disinfection, you can remove any remaining empty directories by opening the phone's application manager and uninstalling the SIS file in which Commwarrior arrived (either commw.sis or a random name).
F-Secure Mobile Anti-Virus detects Commwarrior and will delete the worm's components.
• Download F-Secure Mobile Anti-Virus from http://f-secure.mobi
and activate the Anti-Virus
and activate the Anti-Virus
• Scan the phone and remove any components of the malware
• Reboot the phone to remove memory resident components
After disinfection, you can remove any remaining empty directories by opening the phone's application manager and uninstalling the SIS file in which Commwarrior arrived (either commw.sis or a random name).
Additional Details
Bluetooth Replication
Commwarrior replicates over Bluetooth wireless connections via randomly named SIS files. The SIS file contains the worm's main executable and its boot component, named commwarrior.exe and commrec.mdl respectively.
The SIS file contains settings that will automatically execute commwarrior.exe when the SIS file is installed.
The Commwarrior worm will start looking for other Bluetooth devices when it is activated. When finding other devices, Commwarrior will attempt to transfer a copy of itself to one device after another. If a target device goes out of range or rejects the file transfer then Commwarrior will search for another.
The replication mechanism of Commwarrior is different than that of Cabir. The Cabir worm locks onto one phone as long as it is in range, and depending on the variant, will either look for another device after losing contact or stay locked.
The Commwarrior worm will look for new targets after sending itself to the first target. It is thus able to contact all phones in range and therefore it is possible for it to spread faster than Cabir.
Commwarrior replicates over Bluetooth only from 08:00 to 23:59 based on the phone's clock.
Replication via MMS
MMS messages are multimedia messages that can be sent between supported Symbian phones. As the name states, MMS messages are intended to contain only media content such as pictures, audio, and video. However, they can contain files of any type including infected Symbian installation files.
Commwarrior replicates via MMS by sending MMS messages that contain the infected SIS file to other users. The MMS messages contain a variable text message and the Commwarrior SIS file with a filename of commw.sis.
Unlike its attempt to spread via Bluetooth, the SIS file name is constant. The SIS file is otherwise identical to the one sent via Bluetooth.
The phone numbers where Commwarrior sends the MMS messages are read from the phone's address book.
Commwarrior uses the following texts when spreading via MMS:
Infection
When the Commwarrior SIS file is installed, the installer will copy the worm executables to the following locations:
When Commwarrior.exe is executed, it copies the following files:
And rebuilds its SIS file to:
After recreating the SIS file, the worm starts its attempt to spread via MMS.
Commwarrior replicates over MMS only from 00:00 to 06:59, based on the phone's clock.
Additional Information
Commwarrior contains the following text:
The text "OTMOP03KAM HET!" is Russian and means roughly "No to braindeads".
Commwarrior replicates over Bluetooth wireless connections via randomly named SIS files. The SIS file contains the worm's main executable and its boot component, named commwarrior.exe and commrec.mdl respectively.
The SIS file contains settings that will automatically execute commwarrior.exe when the SIS file is installed.
The Commwarrior worm will start looking for other Bluetooth devices when it is activated. When finding other devices, Commwarrior will attempt to transfer a copy of itself to one device after another. If a target device goes out of range or rejects the file transfer then Commwarrior will search for another.
The replication mechanism of Commwarrior is different than that of Cabir. The Cabir worm locks onto one phone as long as it is in range, and depending on the variant, will either look for another device after losing contact or stay locked.
The Commwarrior worm will look for new targets after sending itself to the first target. It is thus able to contact all phones in range and therefore it is possible for it to spread faster than Cabir.
Commwarrior replicates over Bluetooth only from 08:00 to 23:59 based on the phone's clock.
Replication via MMS
MMS messages are multimedia messages that can be sent between supported Symbian phones. As the name states, MMS messages are intended to contain only media content such as pictures, audio, and video. However, they can contain files of any type including infected Symbian installation files.
Commwarrior replicates via MMS by sending MMS messages that contain the infected SIS file to other users. The MMS messages contain a variable text message and the Commwarrior SIS file with a filename of commw.sis.
Unlike its attempt to spread via Bluetooth, the SIS file name is constant. The SIS file is otherwise identical to the one sent via Bluetooth.
The phone numbers where Commwarrior sends the MMS messages are read from the phone's address book.
Commwarrior uses the following texts when spreading via MMS:
• 3Dgame
3DGame from me. It is FREE !
3DGame from me. It is FREE !
• 3DNow!
3DNow!(tm) mobile emulator for *GAMES*.
3DNow!(tm) mobile emulator for *GAMES*.
• Audio driver
Live3D driver with polyphonic virtual speakers!
Live3D driver with polyphonic virtual speakers!
• CheckDisk
*FREE* CheckDisk for SymbianOS released!MobiComm
*FREE* CheckDisk for SymbianOS released!MobiComm
• Desktop manager
Official Symbian desctop manager.
Official Symbian desctop manager.
• Display driver
Real True Color mobile display driver!
Real True Color mobile display driver!
• Dr.Web
New Dr.Web antivirus for Symbian OS. Try it!
New Dr.Web antivirus for Symbian OS. Try it!
• Free SEX!
Free *SEX* software for you!
Free *SEX* software for you!
• Happy Birthday!
Happy Birthday! It is present for you!
Happy Birthday! It is present for you!
• Internet Accelerator
Internet accelerator, SSL security update #7.
Internet accelerator, SSL security update #7.
• Internet Cracker
It is *EASY* to *CRACK* provider accounts!
It is *EASY* to *CRACK* provider accounts!
• MatrixRemover
Matrix has you. Remove matrix!
Matrix has you. Remove matrix!
• MS-DOS
MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
• Nokia ringtoner
Nokia RingtoneManager for all models.
Nokia RingtoneManager for all models.
• Norton AntiVirus
Released now for mobile, install it!
Released now for mobile, install it!
• PocketPCemu
PocketPC *REAL* emulator for Symbvian OS! Nokia only.
PocketPC *REAL* emulator for Symbvian OS! Nokia only.
• Porno images
Porno images collection with nice viewer!
Porno images collection with nice viewer!
• PowerSave Inspector
Save you battery and *MONEY*!
Save you battery and *MONEY*!
• Security update #12
Significant security update. See www.symbian.com
Significant security update. See www.symbian.com
• Symbian security update
See security news at www.symbian.com
See security news at www.symbian.com
• SymbianOS update
OS service pack #1 from Symbian inc.
OS service pack #1 from Symbian inc.
• Virtual SEX
Virtual SEX mobile engine from Russian hackers!
Virtual SEX mobile engine from Russian hackers!
• WWW Cracker
Helps to *CRACK* WWW sites like hotmail.com
Helps to *CRACK* WWW sites like hotmail.com
Infection
When the Commwarrior SIS file is installed, the installer will copy the worm executables to the following locations:
• \system\apps\CommWarrior\commwarrior.exe
• \system\apps\CommWarrior\commrec.mdl
• \system\updates\commrec.mdl
• \system\updates\commwarrior.exe
• \system\updates\commw.sis
After recreating the SIS file, the worm starts its attempt to spread via MMS.
Commwarrior replicates over MMS only from 00:00 to 06:59, based on the phone's clock.
Additional Information
Commwarrior contains the following text:
• CommWarrior v1.0 (c) 2005 by e10d0r
ATMOS03KAMA HEAT!
ATMOS03KAMA HEAT!
The text "OTMOP03KAM HET!" is Russian and means roughly "No to braindeads".
Detection
F-Secure Mobile Anti-Virus for Symbian detects this malware starting from the update build number 28.