18 October 2005
A new Commwarrior variant
 |
Commwarrior in action |
NAME:
Commwarrior.C
ALIAS:
SymbOS/Commwarrior.C, Comwarrior, CWOUTCAST
ORIGIN:
Russia
Commwarrior.C is a Bluetooth and MMS worm that is similar to Commwarrior.B, but also has significant new functionality.
The Commwarrior.C is capable of spreading over Bluetooth, MMS and MMC cards that are inserted into an infected phone.
When Commwarrior.C infects a phone it tries to change the operator logo to it's own. This behavior has been observed on Nokia 6600, where the logo is changed to "Infected by Commwarrior"
 |
Commwarrior in action |
When user replies to new SMS or MMS message, Commwarrior.C will open a web page using the phones browser.
Commwarrior uses bluetooth for spreading by searching other phones that in can reach over Bluetooth and sending infected SIS files to all phones it finds.
The SIS files that Comwarrior sends are named with random file names, so that users cannot be warned to avoid files with any given name.
In addition of spreading over bluetooth the Comwarrior.C will spread over MMS messages. Commwarrior.C sends infected MMS messages, based on users messaging behavior, so that all messages sent to the infected phone will get infected MMS as response. And SMS messages sent by the user of the infected phone, will be followed with infected MMS message.
 |
Commwarrior in action |
The texts in MMS messages sent by Commwarrior.C contain texts that are stored in the phone Messaging inbox, thus the messages that Commwarrior.C sends are texts that the receiving user might expect from the sender.
MMS messages are multimedia messages that can be sent between Symbian phones and other phones that support MMS messaging. As the name says the MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.
The Commwarrior.C also spreads to MMC cards, by copying itself to any card inserted into the phone. So that if such card is inserted to another phone, the Commwarrior.C will start automatically when the card is inserted.
The Comwarrior contains following texts:
CommWarrior Outcast: The dark side of Symbian Force.
CommWarrior v2.0-PRO. Copyright (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it
in it's original unmodified form.
With best regards from Russia.
OTMOP03KAM HET!
The text "OTMOP03KAM HET!" is Russian and means roughly "No to braindeads".
The Commwarrior.C is not yet fully analyzed, we will update this description as we get more details confirmed.
F-Secure Mobile Anti-Virus will detect Commwarrior.C and delete the worm components.
If your phone is infected with Comwarrior and you cannot install files over bluetooth, you can download F-Secure Mobile Anti-Virus directly to your phone
1. Open web browser on the phone
2. Go to http://mobile.f-secure.com
3. Select link "Download F-Secure Mobile Anti-Virus" and then select phone model
4. Download the file and select open after download
5. Install F-Secure Mobile Anti-Virus
6. Go to applications menu and start Anti-Virus
7. Activate Anti-Virus and scan all files
8. Reboot your phone to kill Commwarrior process that is still running
After disinfecting you phone, you can remove remaining empty directories by going to application manager and uninstalling the SIS file in which Comwarrior arrived.
Infection
When the Comwarrior SIS file is installed the installer will copy the worm executables into c:\system\programs\cwoutcast.exe
When the comwarrior.exe is executed it copies itself into \system\bootdata\lib\cwoutcast.exe and creates \system\recogs\cworec.mdl into C: and all MMC cards it finds.
Unlike Commwarrior.A and .B, the SIS file of Commwarrior.C does not contain MDL recognizer, the recognizer component is contained in the worm executable.
After copying itself the Commwarrior.C rebuilds it's SIS file to directory where the cwoutcast.exe was executed.
Hiding process from user
 |
Commwarrior in action |
Commwarrior.C tries to hide it's process from the user by setting the process type to system process, so that it is not visible in the standard application list.
However if user uses a third party process list tool the Commwarrior.C process is visible as CWOUTCAST.
Replication over bluetooth
Comwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable cwoutcast.exe.
The SIS file contains autostart settings that will automatically execute cwoutcast.exe after the SIS file is being installed.
When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones targeting several phones at one attempt.
If target phone goes out of range or rejects file transfer, the commwarrior will search for another phone.
The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and depending on the variant will either look another variant after losing contact or stay locked.
The Comwarrior worm will constantly look for new targets, thus it is able to contact all phones in range.
Replication over MMS
.: Symbian viruses :. |
.:Related stories:. |
Commwarrior.C uses three strategies for spreading over MMS messages.
First when Commwarrior.C starts, it starts to go through the phones address book and sends MMS messages to phone numbers that are marked as mobile phone.
The Commwarrior.C listens on any arriving MMS or SMS messages and replies to those messages with MMS message containing Commwarrior.C SIS file.
The worm also listens for any SMS messages being sent by the user and sends MMS message to the same number, right after the SMS message.
Replication to MMC card
Commwarrior.C listens for any MMC cards inserted to infected phone, and copies itself to inserted card. The infected card contains both the Commwarrior executable and the bootstrap component, so that if infected card is inserted into another phone it will also be infected.
Protecting itself from disinfection
Commwarrior.C protects itself against manual disinfection using file manager. If user tries to delete the Commwarrior executable or bootstrap component, the running process of Commwarrior.C will recreate them into the device.
Commwarrior.C also sets it's own process as protected so that process cannot be killed easily.
Detection for Comwarrior.C was published on October 13th, 2005 in database build number 53.
Write-up: Jarno Niemela October 13th, 2005
F-Secure Corporation
|
