Virus Profile: SymbOS/Commwarrior.a!sys

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/7/2005
Date Added: 3/7/2005
Origin: Unknown
Length: 30,582 bytes
Type: Virus
Subtype: PDA Device
DAT Required: 4442
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Upon installation of the .SIS file, the user will be presented with the misleading dialogue for installing the virus SIS . See Figure 1 - Figure 4 , below. See also ‘Table 1 - MMS Message Text ’ for a list of the possible MMS subject and messages.

Figure 1 - Bluetooth Receive Prompt

Figure 2 - SIS Installer Prompt

Figure 3 - Inbox

Figure 4 - Installer Details

Subject

Message

Norton AntiVirus

Released now for mobile, install it!

Dr.Web

New Dr.Web antivirus for Symbian OS. Try it!

MatrixRemover

Matrix has you. Remove matrix!

3DGame

3DGame from me. It is FREE !

MS-DOS

MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!

PocketPCemu

PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Nokia ringtoner

Nokia RingtoneManager for all models.

Security update #12

Significant security update. See www.symbian.com

Display driver

Real True Color mobile display driver!

Audio driver

Live3D driver with polyphonic virtual speakers!

Symbian security update

See security news at www.symbian.com

SymbianOS update

OS service pack #1 from Symbian inc.

Happy Birthday!

Happy Birthday! It is present for you!

Free SEX!

Free *SEX* software for you!

Virtual SEX

Virtual SEX mobile engine from Russian hackers!

Porno images

Porno images collection with nice viewer!

Internet Accelerator

Internet accelerator, SSL security update #7.

WWW Cracker

Helps to *CRACK* WWW sites like hotmail.com

Internet Cracker

It is *EASY* to *CRACK* provider accounts!

PowerSave Inspector

Save you battery and *MONEY*!

3DNow!

3DNow!(tm) mobile emulator for *GAMES*.

Desktop manager

Official Symbian desctop manager.

CheckDisk

*FREE* CheckDisk for SymbianOS released!

MobiComm

MobiComm, Mobile communications inspector. Try it!

Table 1 - MMS Message Text

Immediately after installation, the worm copies itself to c:\system\updates\commwarrior.exe and places a boot hook in c:\system\recogs\commrec.mdl .  Finally, it copies its installation SIS file (which will be sent to target systems) to c:\system\updates\commw.sis .

Note that because the worm does not install an application, no user-visible indication of infection is present.

Once running, the application probes the Bluetooth network for nearby devices with an "OBEX push" (i.e. "file beaming") profile and sends the commw.sis file to them, renamed with a random-looking file name.

Note that unlike earlier worms, this worm properly uses the Bluetooth SDP protocol to detect devices.  It will therefore successfully spread to (but not run on) devices other than Nokia Series 60 phones.  It will also not exhibit the "hang" behavior observed with SymbOS/Cabir  worms that try to infect devices that are not listening.

The worm retries to infect nearby devices every ~1 minute.

Presumably (this has not been verified yet) the worm also sends MMS messages containing the same infected content to recipients listed in the phone and/or SIM's address books.  Because MMS is a message (not file) based protocol, it attaches itself as an attachment to a message with text indented to entice the target user into installing the file.

Upon reboot, the "recognizer" file in c:\system\recogs\commrec.mdl runs and starts an instance of commwarrior.exe running, ensuring that the process continues.

The following files are installed by CommWarrior:

  • c:\system\apps\commwarrior\commrec.mdl
    • 2,152 bytes
  • c:\system\apps\commwarrior\commwarrior.exe
    • 27,936 bytes
  • c:\system\apps\commwarrior\commrec.mdl
    • 2,152 bytes
  • c:\system\recogs\commrec.mdl
    • 2,152 bytes
  • c:\system\updates\commrec.mdl
    • 2,152 bytes
  • c:\system\updates\commwarrior.exe
    • 27,936 bytes
  • c:\system\updates\commw.sis
    • 30,582 bytes

Payload:

  • Rapid battery drain.
  • Propagates via MMS to addresses in the user address book.
  • Propagates to nearby Bluetooth devices.

Methods of Infection

This virus replicates via MMS to addresses in the user address book and to nearby Bluetooth devices.

   

Virus Characteristics

This threat is a malicious .SIS file targeting Nokia series 60 based devices. The virus masquerades as a variety of benign applications, including games, porn, and cross platform emulators. See “Table 1 - MMS Message Text” for a more complete list of subjects and message content.

It replicates by sending itself to nearby Bluetooth devices as well as via MMS. The MMS recipient appears to be selected from the host address book. Once it is in the host inbox the user can view the message and must approve the installation of the SIS. Once installed several files are dropped (see Table 1 - MMS Message Text) and the virus sets itself up for automatic execution at system start.

Affected Platforms:

  • Series 60 devices

Confirmed devices:

  • Nokia 7610
  • Nokia 6600
   
  • Use a file manager to delete:
    • c:\system\recogs\commrec.mdl
  • Reboot the handset.
  • Delete the following (now inert) files:
    • c:\system\updates\commrec.mdl
    • c:\system\updates\commw.sis
    • c:\system\updates\commrwarrior.exe
    • c:\system\apps\CommWarrior\commwarrior.exe
    • c:\system\apps\CommWarrior\commrec.mdl