Virus

SymbOS/Comwar.B!worm

Analysis

This is a minor variant to the CommWar family. This threat contains these strings that are not displayed at any time -

CommWarrior v1.0b (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.
OTMOP03KAM HET!

This is a virus for Series 60 type cell phones operating Symbian OS version 6 [or higher], such as Nokia among other brands. The object of the virus is to spread to other phones using Bluetooth and MMS as transport avenues. The targets are selected from the contact list of the infected phone and also sought via Bluetooth searching for other Bluetooth-enabled devices (phones, printers, gaming devices etc.) in the proximity of the infected phone.

This virus is slightly more than a proof of concept - it has proven successfully its ability to migrate from a zoo collection to being in-the-wild. Currently, this virus is being reported in over 18 different countries around Europe, Asia and North America.

Initially upon installing itself (after the recipient grants authorization to receive and run the "application"), the virus will copy itself as the following files -

\system\recogs\commrec.mdl
\system\updates\commrec.mdl
\system\updates\commwarrior.exe
\system\updates\commw.sis
2,152 bytes
2,152 bytes
23,320 bytes
27,162 bytes
"app" loader
"app" loader
virus program
package

The "recogs" folder commonly stores programs known as "recognizers". The recognizer in this case is "commrec.mdl".

Load at phone bootup
When the phone powers on, the loader runs CommWar as "commwarrior.exe" from its installed location. CommWar will read from the phone contact list and attempt to send itself using MMS

MMS distribution
The virus attempts to send itself to contacts found on the infected phone using MMS. The message itself contains MIME instruction for the receiving application of how to treat the attachment -

application/vnd.symbian.install

The receiving phone may receive one of several hard-coded messages - the actual message depends on which one the virus chooses, based on a randomizer routine. The following are examples of what a targeted phone may expect to receive (subject, message) -

Norton AntiVirus
Released now for mobile, install it!

Dr.Web
New Dr.Web antivirus for Symbian OS. Try it!

MatrixRemover
Matrix has you. Remove matrix!

3DGame
3DGame from me. It is FREE !

MS-DOS
MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!

PocketPCemu
PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Nokia ringtoner
Nokia RingtoneManager for all models.

Security update #12
Significant security update. See www.symbian.com

Display driver
Real True Color mobile display driver!

Audio driver
Live3D driver with polyphonic virtual speakers!

Symbian security update
See security news at www.symbian.com

SymbianOS update
OS service pack #1 from Symbian inc.

Happy Birthday!
Happy Birthday! It is present for you!

Free SEX!
Free *SEX* software for you!

Virtual SEX
Virtual SEX mobile engine from Russian hackers!

Porno images
Porno images collection with nice viewer!

Internet Accelerator
Internet accelerator, SSL security update #7.

WWW Cracker
Helps to *CRACK* WWW sites like hotmail.com

Internet Cracker
It is *EASY* to *CRACK* provider accounts!

PowerSave Inspector
Save you battery and *MONEY*!

3DNow!
3DNow!(tm) mobile emulator for *GAMES*.

Desktop manager
Official Symbian desctop manager.

CheckDisk
*FREE* CheckDisk for SymbianOS released!MobiComm

MobiComm, Mobile communications inspector. Try it!

The MMS message will have an attachment of a randomized name with a .SIS extension. If the user runs the attached file, it will install the virus.

The .SIS file contains the full path used when the virus is extracted. The virus and loader are installed to this locale -

\system\apps\CommWarrior\

Bluetooth distribution
The virus also has the ability to seek Bluetooth-enabled devices. Devices found could receive numerous messages asking to install "Caribe". The request is persistent and annoying. It is important to note that phones that have not been configured to allow connection via this seek-and-find method are not susceptible to this attack.

Recommended Action

  • Delete all modules related to this virus from the infected device -
    \system\recogs\commrec.mdl
    \system\updates\commrec.mdl
    \system\updates\commwarrior.exe
    \system\updates\commw.sis