Worm:SymbOS/Commwarrior.B operates on Symbian Series 60 devices and is capable of spreading both over both the Bluetooth and Multimedia Messages (MMS) networks.
F-Secure Mobile Security will detect both Commwarrior variants and delete the worm components.
After disinfecting the phone, remove the remaining empty directories by going to Application Manager and uninstalling Commwarrior's SIS file.
If files cannot be installed over Bluetooth; F-Secure Mobile Anti-Virus can also be downloaded directly to the phone:
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Commwarrior.B is closely related to variant Commwarrior.A. The only significant difference is that unlike Commwarrior.A, Commwarrior.B does not check system clock on deciding which replication method to use.
Commwarrior.B is delivered in an infected SIS file. On receiving the file, the user is prompted to install the file, as seen in the screenshot below:
When the SIS file is installed, the installer copies the worm executables to the following locations:
When Commwarrior.exe is executed it copies the following files:
And rebuilds its SIS file to:
After recreating the SIS file, the worm starts spreading itself by both Bluetooth and MMS.
Once Commwarrior has infected a phone it starts searching for other Bluetooth-discoverable devices. If a found device goes out of range or rejects file transfer, the Commwarrior will search for another target.
This methodology differentiates Commwarrior worms from Worm:SymbOS/Cabir worms, which lock onto only one phone. Depending on the variant, the Cabir worm may stay locked onto the first targeted device even if it has moved out of range, effectively ignoring all other potential targets.
Once a target is found, Commwarrior.B then sends an infected SIS file to all found devices. The SIS files sent are named with random file names, so that users cannot be warned to avoid files with any given name. Some possible names are displayed in the screenshot below:
The file contains the worm main executable commwarrior.exe,its boot component commrec.mdl and autostart settings that will automatically execute commwarrior.exe after the SIS file is installed.
Unlike Commwarrior.A, Commwarrior.B does not check the system time to determine when to spread by Bluetooth.
Unlike Commwarrior.A, Commwarrior.B does not check the system to determine when to spread using MMS.
Commwarrior replicates by sending MMS messages to all numbers listed in the device's contacts book. As the name implies, MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.
The MMS messages contain variable text messages and Commwarrior SIS file with filename commw.sis. Unlike the SIS file sent via Bluetooth, Commwarrior.B uses a constant file name when spreading by MMS. Otherwise, the SIS file is identical to the one sent via Bluetooth.
Some sample texts used in the MMS messages can be seen below:
The Commwarrior uses the following texts in MMS spreading: