Home / malware Worm:SymbOS/Commwarrior.B
First posted on 15 June 2010.
Source: SecurityHomeAliases :
There are no other names known for Worm:SymbOS/Commwarrior.B.
Explanation :
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Additional DetailsWorm:SymbOS/Commwarrior.B operates on Symbian Series 60 devices and is capable of spreading both over both the Bluetooth and Multimedia Messages (MMS) networks.
Commwarrior.B is closely related to variant Commwarrior.A. The only significant difference is that unlike Commwarrior.A, Commwarrior.B does not check system clock on deciding which replication method to use.
Installation
Commwarrior.B is delivered in an infected SIS file. On receiving the file, the user is prompted to install the file, as seen in the screenshot below:
When the SIS file is installed, the installer copies the worm executables to the following locations:
€ \system\apps\CommWarrior\commwarrior.exe € \system\apps\CommWarrior\commrec.mdl
When Commwarrior.exe is executed it copies the following files:
€ \system\updates\commrec.mdl € \system\updates\commwarrior.exe
And rebuilds its SIS file to:
€ \system\updates\commw.sis
After recreating the SIS file, the worm starts spreading itself by both Bluetooth and MMS.
Propagation (Bluetooth)
Once Commwarrior has infected a phone it starts searching for other Bluetooth-discoverable devices. If a found device goes out of range or rejects file transfer, the Commwarrior will search for another target.
This methodology differentiates Commwarrior worms from Worm:SymbOS/Cabir worms, which lock onto only one phone. Depending on the variant, the Cabir worm may stay locked onto the first targeted device even if it has moved out of range, effectively ignoring all other potential targets.
Once a target is found, Commwarrior.B then sends an infected SIS file to all found devices. The SIS files sent are named with random file names, so that users cannot be warned to avoid files with any given name. Some possible names are displayed in the screenshot below:
The file contains the worm main executable commwarrior.exe, its boot component commrec.mdl and autostart settings that will automatically execute commwarrior.exe after the SIS file is installed.
Unlike Commwarrior.A, Commwarrior.B does not check the system time to determine when to spread by Bluetooth.
Propagation (MMS)
Unlike Commwarrior.A, Commwarrior.B does not check the system to determine when to spread using MMS.
Commwarrior replicates by sending MMS messages to all numbers listed in the device's contacts book. As the name implies, MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.
The MMS messages contain variable text messages and Commwarrior SIS file with filename commw.sis. Unlike the SIS file sent via Bluetooth, Commwarrior.B uses a constant file name when spreading by MMS. Otherwise, the SIS file is identical to the one sent via Bluetooth.
Some sample texts used in the MMS messages can be seen below:
The Commwarrior uses the following texts in MMS spreading:
€ MatrixRemover € Matrix has you. Remove matrix! € 3DGame € 3DGame from me. It is FREE ! € MS-DOS € MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it! € PocketPCemu € PocketPC *REAL* emulator for Symbvian OS! Nokia only. € Nokia ringtoner € Nokia RingtoneManager for all models. € Security update #12 € Significant security update. See www.symbian.com € Display driver € Real True Color mobile display driver! € Audio driver € Live3D driver with polyphonic virtual speakers! € Symbian security update € See security news at www.symbian.com € SymbianOS update € OS service pack #1 from Symbian inc. € Happy Birthday! € Happy Birthday! It is present for you! € Free SEX! € Free *SEX* software for you! € Virtual SEX € Virtual SEX mobile engine from Russian hackers! € Porno images € Porno images collection with nice viewer! € Internet Accelerator € Internet accelerator, SSL security update #7. € WWW Cracker € Helps to *CRACK* WWW sites like hotmail.com € Internet Cracker € It is *EASY* to *CRACK* provider accounts! € PowerSave Inspector € Save you battery and *MONEY*! € 3DNow! € 3DNow!(tm) mobile emulator for *GAMES*. € Desktop manager € Official Symbian desctop manager. € CheckDisk € *FREE* CheckDisk for SymbianOS released!MobiComm € Norton AntiVirus € Released now for mobile, install it! € Dr.Web € New Dr.Web antivirus for Symbian OS. Try it!
Last update 15 June 2010