F-Secure
Tools
Commwarrior.B
| Name : | Commwarrior.B |
| Category: | Malware |
| Type: | Worm |
| Platform: | SymbOS |
| Origin: | Russia |
Summary
Commwarrior.B is a close variant of Commwarrior.A, it is a worm that operates on Symbian Series 60 devices, and is capable of spreading both over Bluetooth and MMS messages.
The main difference between Commwarrior.A and Commwarrior.B is that unlike Commwarrior.A Commwarrior.B does not check system clock on deciding which replication method to use.
When Commwarrior infects a phone it will start searching other phones that in can reach over Bluetooth and send infected SIS files to the phones it finds.
The SIS files that Comwarrior sends are named with random file names, so that users cannot be warned to avoid files with any given name.
In addition of spreading over bluetooth the Comwarrior will also read the users local address book for phone numbers, and start sending MMS messages containing the Commwarrior SIS file.
The MMS messages are multimedia messages that can be sent between Symbian phones and other phones that support MMS messaging. As the name says the MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.
The main difference between Commwarrior.A and Commwarrior.B is that unlike Commwarrior.A Commwarrior.B does not check system clock on deciding which replication method to use.
When Commwarrior infects a phone it will start searching other phones that in can reach over Bluetooth and send infected SIS files to the phones it finds.
The SIS files that Comwarrior sends are named with random file names, so that users cannot be warned to avoid files with any given name.
In addition of spreading over bluetooth the Comwarrior will also read the users local address book for phone numbers, and start sending MMS messages containing the Commwarrior SIS file.
The MMS messages are multimedia messages that can be sent between Symbian phones and other phones that support MMS messaging. As the name says the MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.
Disinfection
Disinfection
F-Secure Mobile Anti-Virus will detect both Commwarrior variants and delete the worm components.
If your phone is infected with Commwarrior and you cannot install files over bluetooth, you can download F-Secure Mobile Anti-Virus directly to your phone
1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files
8. Reboot your phone to kill Commwarrior process that is still running
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files
8. Reboot your phone to kill Commwarrior process that is still running
After disinfecting you phone, you can remove the remaining empty directories by going to Application Manager and uninstalling the SIS file in which Commwarrior had arrived in (either commw.sis or random name)
Additional Details
Replication over bluetooth
Commwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable commwarrior.exe and
boot component commrec.mdl.
The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.
When Commwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the Commwarrior will search for another phone.
The replication mechanism of Commwarrior is different than in Cabir. The Cabir worm locks into one phone and as long as it is in range, and
depending on the variant, it will either look for another variant after losing contact or it will stay locked.
The Commwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range.
And possibly spreading faster than Cabir.
Unlike Commwarrior.A, Commwarrior.B does not check the system on determining when the worm spreads over bluetooth.
Replication over MMS
Commwarrior replicates over MMS by sending MMS messages that contains the infected SIS file to other users. The MMS messages contain variable
text messages and Commwarrior SIS file with filename commw.sis.
Unlike in bluetooth spreading, the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.
The numbers where Commwarrior sends the MMS messages are read from the phone's address book.
The Commwarrior uses following texts in MMS spreading:
Infection
When the Commwarrior SIS file is installed the installer will copy the worm executables into following locations:
\system\apps\CommWarrior\commwarrior.exe
\system\apps\CommWarrior\commrec.mdl
When the Commwarrior.exe is executed it copies the following files:
\system\updates\commrec.mdl
\system\updates\commwarrior.exe
And rebuilds it's SIS file to:
\system\updates\commw.sis
After recreating the SIS file, the worm starts spreading itself over MMS.
Unlike Commwarrior.A, Commwarrior.B does not check the system to determine when the spread over MMS has begun.
Commwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable commwarrior.exe and
boot component commrec.mdl.
The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.
When Commwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the Commwarrior will search for another phone.
The replication mechanism of Commwarrior is different than in Cabir. The Cabir worm locks into one phone and as long as it is in range, and
depending on the variant, it will either look for another variant after losing contact or it will stay locked.
The Commwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range.
And possibly spreading faster than Cabir.
Unlike Commwarrior.A, Commwarrior.B does not check the system on determining when the worm spreads over bluetooth.
Replication over MMS
Commwarrior replicates over MMS by sending MMS messages that contains the infected SIS file to other users. The MMS messages contain variable
text messages and Commwarrior SIS file with filename commw.sis.
Unlike in bluetooth spreading, the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.
The numbers where Commwarrior sends the MMS messages are read from the phone's address book.
The Commwarrior uses following texts in MMS spreading:
• MatrixRemover
• Matrix has you. Remove matrix!
• 3DGame
• 3DGame from me. It is FREE !
• MS-DOS
• MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
• PocketPCemu
• PocketPC *REAL* emulator for Symbvian OS! Nokia only.
• Nokia ringtoner
• Nokia RingtoneManager for all models.
• Security update #12
• Significant security update. See www.symbian.com
• Display driver
• Real True Color mobile display driver!
• Audio driver
• Live3D driver with polyphonic virtual speakers!
• Symbian security update
• See security news at www.symbian.com
• SymbianOS update
• OS service pack #1 from Symbian inc.
• Happy Birthday!
• Happy Birthday! It is present for you!
• Free SEX!
• Free *SEX* software for you!
• Virtual SEX
• Virtual SEX mobile engine from Russian hackers!
• Porno images
• Porno images collection with nice viewer!
• Internet Accelerator
• Internet accelerator, SSL security update #7.
• WWW Cracker
• Helps to *CRACK* WWW sites like hotmail.com
• Internet Cracker
• It is *EASY* to *CRACK* provider accounts!
• PowerSave Inspector
• Save you battery and *MONEY*!
• 3DNow!
• 3DNow!(tm) mobile emulator for *GAMES*.
• Desktop manager
• Official Symbian desctop manager.
• CheckDisk
• *FREE* CheckDisk for SymbianOS released!MobiComm
• Norton AntiVirus
• Released now for mobile, install it!
• Dr.Web
• New Dr.Web antivirus for Symbian OS. Try it!
Infection
When the Commwarrior SIS file is installed the installer will copy the worm executables into following locations:
\system\apps\CommWarrior\commwarrior.exe
\system\apps\CommWarrior\commrec.mdl
When the Commwarrior.exe is executed it copies the following files:
\system\updates\commrec.mdl
\system\updates\commwarrior.exe
And rebuilds it's SIS file to:
\system\updates\commw.sis
After recreating the SIS file, the worm starts spreading itself over MMS.
Unlike Commwarrior.A, Commwarrior.B does not check the system to determine when the spread over MMS has begun.