SymbOS/Commwarrior.a!sys

Content

SymbOS/Commwarrior.a!sys

Type: Virus
SubType: PDA Device
Discovery Date: 03/07/2005
Length: 30,582 bytes
Minimum DAT: 4442 (03/08/2005)
Updated DAT: 4442 (03/08/2005)
Minimum Engine: 5.1.00
Description Added: 03/07/2005
Description Modified: 03/08/2005 4:49 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This threat is a malicious .SIS file targeting Nokia series 60 based devices. The virus masquerades as a variety of benign applications, including games, porn, and cross platform emulators. See �Table 1 - MMS Message Text� for a more complete list of subjects and message content.

It replicates by sending itself to nearby Bluetooth devices as well as via MMS. The MMS recipient appears to be selected from the host address book. Once it is in the host inbox the user can view the message and must approve the installation of the SIS. Once installed several files are dropped (see Table 1 - MMS Message Text) and the virus sets itself up for automatic execution at system start.

Affected Platforms:

Series 60 devices

Confirmed devices:

Nokia 7610
Nokia 6600

Symptoms

Upon installation of the .SIS file, the user will be presented with the misleading dialogue for installing the virus SIS . See Figure 1 - Figure 4 , below. See also �Table 1 - MMS Message Text � for a list of the possible MMS subject and messages.

Figure 1 - Bluetooth Receive Prompt

Figure 2 - SIS Installer Prompt

Figure 3 - Inbox

Figure 4 - Installer Details

Subject	Message
Norton AntiVirus	Released now for mobile, install it!
Dr.Web	New Dr.Web antivirus for Symbian OS. Try it!
MatrixRemover	Matrix has you. Remove matrix!
3DGame	3DGame from me. It is FREE !
MS-DOS	MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
PocketPCemu	PocketPC REAL emulator for Symbvian OS! Nokia only.
Nokia ringtoner	Nokia RingtoneManager for all models.
Security update #12	Significant security update. See www.symbian.com
Display driver	Real True Color mobile display driver!
Audio driver	Live3D driver with polyphonic virtual speakers!
Symbian security update	See security news at www.symbian.com
SymbianOS update	OS service pack #1 from Symbian inc.
Happy Birthday!	Happy Birthday! It is present for you!
Free SEX!	Free SEX software for you!
Virtual SEX	Virtual SEX mobile engine from Russian hackers!
Porno images	Porno images collection with nice viewer!
Internet Accelerator	Internet accelerator, SSL security update #7.
WWW Cracker	Helps to CRACK WWW sites like hotmail.com
Internet Cracker	It is EASY to CRACK provider accounts!
PowerSave Inspector	Save you battery and MONEY!
3DNow!	3DNow!(tm) mobile emulator for GAMES.
Desktop manager	Official Symbian desctop manager.
CheckDisk	FREE CheckDisk for SymbianOS released!
MobiComm	MobiComm, Mobile communications inspector. Try it!

Table 1 - MMS Message Text

Immediately after installation, the worm copies itself to c:\system\updates\commwarrior.exe and places a boot hook in c:\system\recogs\commrec.mdl . Finally, it copies its installation SIS file (which will be sent to target systems) to c:\system\updates\commw.sis .

Note that because the worm does not install an application, no user-visible indication of infection is present.

Once running, the application probes the Bluetooth network for nearby devices with an "OBEX push" (i.e. "file beaming") profile and sends the commw.sis file to them, renamed with a random-looking file name.

Note that unlike earlier worms, this worm properly uses the Bluetooth SDP protocol to detect devices. It will therefore successfully spread to (but not run on) devices other than Nokia Series 60 phones. It will also not exhibit the "hang" behavior observed with SymbOS/Cabir worms that try to infect devices that are not listening.

The worm retries to infect nearby devices every ~1 minute.

Presumably (this has not been verified yet) the worm also sends MMS messages containing the same infected content to recipients listed in the phone and/or SIM's address books. Because MMS is a message (not file) based protocol, it attaches itself as an attachment to a message with text indented to entice the target user into installing the file.

Upon reboot, the "recognizer" file in c:\system\recogs\commrec.mdl runs and starts an instance of commwarrior.exe running, ensuring that the process continues.

The following files are installed by CommWarrior:

c:\system\apps\commwarrior\commrec.mdl
- 2,152 bytes
c:\system\apps\commwarrior\commwarrior.exe
- 27,936 bytes
c:\system\apps\commwarrior\commrec.mdl
- 2,152 bytes
c:\system\recogs\commrec.mdl
- 2,152 bytes
c:\system\updates\commrec.mdl
- 2,152 bytes
c:\system\updates\commwarrior.exe
- 27,936 bytes
c:\system\updates\commw.sis
- 30,582 bytes

Payload:

Rapid battery drain.
Propagates via MMS to addresses in the user address book.
Propagates to nearby Bluetooth devices.

Method of Infection

This virus replicates via MMS to addresses in the user address book and to nearby Bluetooth devices.

Removal

Use a file manager to delete:

c:\system\recogs\commrec.mdl

Reboot the handset.
Delete the following (now inert) files:
- c:\system\updates\commrec.mdl
- c:\system\updates\commw.sis
- c:\system\updates\commrwarrior.exe
- c:\system\apps\CommWarrior\commwarrior.exe
- c:\system\apps\CommWarrior\commrec.mdl

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -