Threat Descriptions

Bluetooth-Worm:SymbOS/Commwarrior.B

Classification

Category :

Malware

Type :

Bluetooth-Worm

Platform :

SymbOS

Aliases :

SymbOS/Commwarrior.B

Summary

Bluetooth-Worm:SymbOS/Commwarrior.B operates on Symbian Series 60 devices and is capable of spreading both over both the Bluetooth and Multimedia Messages (MMS) networks.

Removal

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Commwarrior.B is closely related to variant Commwarrior.A. The only significant difference is that unlike Commwarrior.A, Commwarrior.B does not check system clock on deciding which replication method to use.

Installation

Commwarrior.B is delivered in an infected SIS file. On receiving the file, the user is prompted to install the file, as seen in the screenshot below:

When the SIS file is installed, the installer copies the worm executables to the following locations:

  • \system\apps\CommWarrior\commwarrior.exe
  • \system\apps\CommWarrior\commrec.mdl

When Commwarrior.exe is executed it copies the following files:

  • \system\updates\commrec.mdl
  • \system\updates\commwarrior.exe

And rebuilds its SIS file to:

  • \system\updates\commw.sis

After recreating the SIS file, the worm starts spreading itself by both Bluetooth and MMS.

Propagation (Bluetooth)

Once Commwarrior has infected a phone it starts searching for other Bluetooth-discoverable devices. If a found device goes out of range or rejects file transfer, the Commwarrior will search for another target.

This methodology differentiates Commwarrior worms from Bluetooth-Worm:SymbOS/Cabir worms, which lock onto only one phone. Depending on the variant, the Cabir worm may stay locked onto the first targeted device even if it has moved out of range, effectively ignoring all other potential targets.

Once a target is found, Commwarrior.B then sends an infected SIS file to all found devices. The SIS files sent are named with random file names, so that users cannot be warned to avoid files with any given name. Some possible names are displayed in the screenshot below:

The file contains the worm main executable commwarrior.exe,its boot component commrec.mdl and autostart settings that will automatically execute commwarrior.exe after the SIS file is installed.

Unlike Commwarrior.A, Commwarrior.B does not check the system time to determine when to spread by Bluetooth.

Propagation (MMS)

Unlike Commwarrior.A, Commwarrior.B does not check the system to determine when to spread using MMS.

Commwarrior replicates by sending MMS messages to all numbers listed in the device's contacts book. As the name implies, MMS messages are intended to contain only media content, such as pictures, audio or video, but they can contain anything, including infected Symbian installation files.

The MMS messages contain variable text messages and Commwarrior SIS file with filename commw.sis. Unlike the SIS file sent via Bluetooth, Commwarrior.B uses a constant file name when spreading by MMS. Otherwise, the SIS file is identical to the one sent via Bluetooth.

Some sample texts used in the MMS messages can be seen below:

The Commwarrior uses the following texts in MMS spreading:

  • MatrixRemover
  • Matrix has you. Remove matrix!
  • 3DGame
  • 3DGame from me. It is FREE !
  • MS-DOS
  • MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
  • PocketPCemu
  • PocketPC *REAL* emulator for Symbvian OS! Nokia only.
  • Nokia ringtoner
  • Nokia RingtoneManager for all models.
  • Security update #12
  • Significant security update. See www.symbian.com
  • Display driver
  • Real True Color mobile display driver!
  • Audio driver
  • Live3D driver with polyphonic virtual speakers!
  • Symbian security update
  • See security news at www.symbian.com
  • SymbianOS update
  • OS service pack #1 from Symbian inc.
  • Happy Birthday!
  • Happy Birthday! It is present for you!
  • Free SEX!
  • Free *SEX* software for you!
  • Virtual SEX
  • Virtual SEX mobile engine from Russian hackers!
  • Porno images
  • Porno images collection with nice viewer!
  • Internet Accelerator
  • Internet accelerator, SSL security update #7.
  • WWW Cracker
  • Helps to *CRACK* WWW sites like hotmail.com
  • Internet Cracker
  • It is *EASY* to *CRACK* provider accounts!
  • PowerSave Inspector
  • Save you battery and *MONEY*!
  • 3DNow!
  • 3DNow!(tm) mobile emulator for *GAMES*.
  • Desktop manager
  • Official Symbian desctop manager.
  • CheckDisk
  • *FREE* CheckDisk for SymbianOS released!MobiComm
  • Norton AntiVirus
  • Released now for mobile, install it!
  • Dr.Web
  • New Dr.Web antivirus for Symbian OS. Try it!