NEWS FROM THE LAB - Wednesday, May 11, 2005

Commwarrior Symbian MMS worm is in the wild Posted by Jarno @ 08:24 GMT

Screenshot of a MMS messagent sent by Commwarrior

We have been publishing posts about Cabir sightings in various countries. However, it's not the only phone worm spreading in the wild. The Commwarrior worm that spreads both via Bluetooth and MMS messages was found in-the-wild in Ireland already in January. Three weeks ago we got a report from India, and now we've received information about a Commwarrior sighting in Oman in Middle East.

All these have been isolated cases. Nevertheless, this virus is in the wild. Commwarrior could potentially be much bigger trouble than Cabir - via MMS it can jump from one country to another easily.

Commwarrior monitors the phone's clock and spreads over Bluetooth during daytime (from 08:00 to midnight) and spreads via MMS during the night (from midnight to 07:00). The worm sleeps a random time between sending the messages, further slowing down the spreading.

And of course, sending MMS messages is expensive. Lets do a little math here. How many phone numbers do you have in your phone? How much does sending one MMS cost you? Assuming, say, 500 numbers and 0.50€ per message, that would cost you 250€. Of course, that money wouldn't go back to the virus writer, but in any case we're talking about a nasty side effect here.

When Commwarrior arrives via MMS, the user sees a message that contains social engineering text and an attachment. Unlike in Bluetooth replication, where the system installer starts automatically after receiving message (of course with normal installation dialog), user has to save the SIS file attachment from MMS before the installer starts.

Message from Oman. Quoted with permission.
Thus getting infected with Commwarrior over MMS takes even more steps than Cabir over Bluetooth, which is probably one of the reasons why we haven't seen distribution in larger scale. But as we know, people are curious, and there are always some people who will install Commwarrior. Especially since via MMS they seem to receive the file from somone they know.

Commwarrior infected phones can be easily disinfected with by surfing to mobile.f-secure.com and downloading F-Secure Mobile Anti-Virus - or manually with a third party file manager. And telecom operators can scan the MMS traffic for viruses using a suitable tool, for example F-Secure Mobile Filter

However, we've only received isolated reports about Commwarrior, so the worm seems to be quite rare and currently it is not really a serious threat.

PS. We've also received a report of Cabir sightings in New Zealand and in Switzerland. That makes it 23 countries with reports on Cabir.