SymbOS/Comwar.v30lite!worm

Analysis

This memory resident Symbian malware arrives as a SIS package or Symbian installer file. It is capable of spreading via Bluetooth and Multimedia Message Service (MMS) messages.

Installation of the malware
The SIS package installs the malware as a system process to hide it from some process viewing tools. It extracts the malware executable into either the root folder or under a randomly named folder. In addition, the malware executable also uses a random alphanumerical filename. Hence, the possible file paths of the malware executable could be any of the following:

• undefinedEPOCROOTundefined\undefinedRANDOM_NAMEundefined.exe (50,652 Bytes)
• undefinedEPOCROOTundefined\undefinedRANDOM_NAMEundefined\undefinedRANDOM_NAMEundefined.exe (50,652 Bytes)

When the malware executable runs, it drops a copy of itself in the following file path in the flash drive and any attached MMC drives. This time, the dropped copy uses the filename cw3lite.exe.

• undefinedEPOCROOTundefined\system\libs\cw3lite.exe (50,652 Bytes)

The malware executable runs as a protected process named cw3lite , which in turn creates two protected threads with random alphanumeric names.
In addition, this symbian malware also creates the following MDL recognizer file to allow automatic execution of the malware whenever the device starts:

• undefinedEPOCROOTundefined\system\recogs\cw3lite.mdl (2,040 Bytes)
  

This malware also creates a folder named Vicobfogg in the flash drive root folder, repackages itself and drops the new SIS file into that folder:

• C:\Vicobfogg\otvmxqk9.sis (31~34 KB)

Propagation via Bluetooth
To spread via Bluetooth, the virus seeks phones nearby that have the Bluetooth protocol enabled. The virus then attempts to send itself as a SIS file to every device found. The SIS file again uses a random alphanumeric name.
The recipient will first notice a request to receive a program and the message may be similar to the one below:

Receive message via Bluetooth from undefinedphone modelundefined?
Yes	No

Once the user clicks YES, it will be followed by a prompt asking the user to install an application. Some of the application names utilized by the malware to disguise itself are the following:

• Cool Engine
• Hard keyboard stuff v2.21
• Mega sex machine v 3.77
• Nice fucker v 4.43
• Static www antivirus
• Symbian hacker
• Virtual timer v4.27

The virus is persistent such that even after pressing "No" to the installation prompt, multiple Bluetooth transfer requests would still be received. The barrage of requests could prove to be too many and quite annoying to mobile device owners receiving the request. The user could subsequently give in and allow the virus to be received and installed, thus infecting the device.

Propagation via MMS
To spread via MMS, this malware browses the infected phone's address book and sends an MMS message containing a copy of the malware to any of the listed contacts. Moreover, any outgoing Short Message Service (SMS) or MMS messages sent by the user of the infected phone may be followed by an infected MMS message sent by the malware without the user's knowledge.

Recommended Action

• Download the Commwarrior FortiCleanUp tool here, and run a "Full Scan".
• Delete all malware related files from the flash and MMC drives of the infected device.