F-Secure Malware Information Pages: Commwarrior.C

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Commwarrior.C

[Summary] \| [Disinfection] \| [Detailed Description]
Name :	Commwarrior.C
Alias:	SymbOS/Commwarrior.C, CWOUTCAST, Comwarrior
Type:	Worm
Category:	Malware
Platform:	SymbOS
Origin:	Russia

Radar

Summary

Commwarrior.C is a Bluetooth and MMS worm that is similar to Commwarrior.B, that also has significant new functionality.

Commwarrior.C is capable of spreading over Bluetooth, MMS, and MMC cards that are inserted into an infected phone.

Back to the Top

Disinfection

Disinfection

Use F-Commwarrior tool to deactive Commwarrior.C so that Anti-Virus
can be installed on the phone.

1. Open web browser on the phone
2. Go to http://mobile.f-secure.com/disinfection.html
3. Download F-Commwarrior and install it
4. Make sure that you have all applications closed
5. Select "Deactivate Commwarrior" from menu
6. If Commwarrior is found phone boots immediately after disinfection

Install F-Secure Mobile Anti-Virus to finish cleaning up your phone

1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files

Back to the Top

Detailed Description

When Commwarrior.C infects a phone it tries to change the operator logo to its own. This behavior has been observed on Nokia 6600, where the logo is changed to "Infected by Commwarrior".

When user replies to new SMS or MMS message, Commwarrior.C will open a web page using the phones browser.

Commwarrior uses bluetooth for spreading by searching other phones that in can reach over Bluetooth and sending infected SIS files to all phones it finds.

The SIS files that Commwarrior sends are named with random file names, so that users cannot be warned to avoid files with any given name.

In addition of spreading over bluetooth, the Commwarrior.C will spread over MMS messages. Commwarrior.C sends infected MMS messages, based on users messaging behavior, so that all of the messages sent to the infected phone will get infected MMS as response.

And SMS messages sent by the user of the infected phone, will be followed with infected MMS message.

The texts in MMS messages sent by Commwarrior.C contain texts that are stored in the phone Messaging inbox, thus the messages that Commwarrior.C sends are texts that the receiving user might expect from the sender.

MMS messages are multimedia messages that can be sent between Symbian phones and other phones that support MMS messaging. As the name says the MMS messages are intended to contain only media content, such as
pictures, audio or video, but they can contain anything, including infected Symbian installation files.

The Commwarrior.C also spreads to MMC cards, by copying itself to any card inserted into the phone. So that if such card is inserted to another phone, the Commwarrior.C will start automatically when the card is inserted.

The Commwarrior contains following texts:

CommWarrior Outcast: The dark side of Symbian Force.
CommWarrior v2.0-PRO. Copyright (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it
in it's original unmodified form.
With best regards from Russia.
OTMOP03KAM HET!

The text "OTMOP03KAM HET!" is Russian and means roughly "No to braindeads".

Infection

When the Comwarrior SIS file is installed the installer will copy the worm executables into c:\system\programs\cwoutcast.exe

When the comwarrior.exe is executed it copies itself into

\system\bootdata\lib\cwoutcast.exe and creates \system\recogs\cworec.mdl

into C: and all MMC cards it finds.

Unlike Commwarrior.A and .B, the SIS file of Commwarrior.C does not contain MDL recognizer, the recognizer component is contained in the worm executable.

After copying itself the Commwarrior.C rebuilds it's SIS file to directory where the cwoutcast.exe was executed.

Hiding process from user

Commwarrior.C tries to hide it's process from the user by setting the process type to system process, so that it is not visible in the standard application list.

However, if the user uses a third party process list tool, the Commwarrior.C process is visible as CWOUTCAST.

Replication over bluetooth

Commwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable cwoutcast.exe.

The SIS file contains autostart settings that will automatically execute cwoutcast.exe after the SIS file is being installed.

When Commwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones
targeting several phones at one attempt.

If target phone goes out of range or rejects file transfer, the commwarrior will search for another phone.

The replication mechanism of Commwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and depending on the variant will either look another variant after losing contact or stay locked.

The Comwarrior worm will constantly look for new targets, thus it is able to contact all phones in range.

Replication over MMS

Commwarrior.C uses three strategies for spreading over MMS messages.

First when Commwarrior.C starts, it starts to go through the phones address book and sends MMS messages to phone numbers that are marked as mobile phone.

The Commwarrior.C listens on any arriving MMS or SMS messages and replies to those messages with MMS message containing Commwarrior.C SIS file.

The worm also listens for any SMS messages being sent by the user and sends MMS message to the same number, right after the SMS message.

Replication to MMC card

Commwarrior.C listens for any MMC cards inserted to infected phone, and copies itself to inserted card. The infected card contains both the Commwarrior executable and the bootstrap component, so that if infected card is inserted into another phone it will also be infected.

Protecting itself from disinfection

Commwarrior.C protects itself against manual disinfection using file manager. If user tries to delete the Commwarrior executable or bootstrap component, the running process of Commwarrior.C will recreate them into the device.

Commwarrior.C also sets its own process as protected so that process cannot be killed easily.

Back to the Top

F-Secure Corporation

Last Modified: January 01, 2006