Alias/es

Visible Symptoms

• A log bar is shown.
  
  
• The phone logo is replaced by the worm's logo.
  
  
• The following files exist in all writable driver paths, including the memory card:
  
  
  • !:\system\recogs\cw3rec.mdl
  • !:\system\libs\cw3.exe

Detailed Analysis

• Spreads over bluetooth and Multimedia Messaging System (MMS) as a SIS file (Symbian installation file), like previous versions did. This version, however, is now capable of slightly modifying its contents in order to produce different files during replication.
  
  
• Arrives as a SIS archive with a random name and random size. The SIS archive contains a single executable file.
  
  Examples of filenames are the following:
  
  
  • WWW Static Ringtone v 3.6
  • Hard E-mail Clips v 1.14
  • Winamp Documents v 2.67
  
  
  Autostart Mechanism
  
  
• Attempts to drop the following file in all writable driver paths, including the memory card:

  !:\system\recogs\cw3rec.mdl

  This file is used to launch the worm.
  
  
• Copies itself as the following to all writable driver paths, including the memory card:

  !:\system\libs\cw3.exe

  
  Bluetooth and MMS Propagation
  
  
• Once the worm is installed in the phone memory, it crafts a new SIS file and begins to send it over Bluetooth to near devices.
  
  
• Attempts to collect contact information from the inbox and the phone book.
  
  
• Sends an MMS message containing itself to the gathered contacts. The message can be a randomly selected message taken from the inbox or any of the following:
  
  
  • CommWarrior v3.0-PRO (c) by e10d0r. It is another high quality product from Russia!
  • CommWarrior v3.0-PRO (c) by e10d0r. Please update your version!
  • A new dangerous virus was written by hacker e10d0r and you need anti-virus.
  • Please update your version of the CommWarrior.
  • The dark side of the Symbian Force has more power!
  • Are you a Jedi? I think no...
  • May the Force be with you!
  • Remove!|It is CommWarrior removing tools, last version.
  • AntiVirus|Install Anti-Virus quickly! A new dangerous virus found!
  • TrendMicro AntiVirus|TrendMicro antivirus. It is very bugged AV but free!
  • F-Secure Anti-Virus|It is new F-Secure Anti-Virus. Free for you!
  • Simworks Anti-Virus|It is Simworks Anti-Virus. FREE!
  • Kaspersky Anti-Virus|It is Kaspersky Anti-Virus. Cracked in Russia.
  • Commander Anti-Virus|Commander Anti-Virus.
  • Nokia Anti-Virus|Nokia Anti-Virus. Please try it.
  • Microsoft Anti-Virus|Microsoft Anti-Virus for Symbian OS.
  • Symbian Anti-Virus|Symbian Anti-Virus. New and free!
  • Anti-Virus|Universal Anti-Virus base, updated today, install it.
  • Symbian|Symbian common security bugfix #19
  • Symbian|Symbian security update. Fixed a lot of bugs. See www.symbian.com
  • Symbian|Symbian Anti-Virus.
  • Nokia|Nokia official bugfix for series60 phones. see www.nokia.com
  • No spam me|Please remove spam trojan using this tool...
  • Remove trojan|Remove mobile trojan using this tool.
  • This book is about me.
  • This book is about Dark Side.
  • Test for phone security.
  • Test for anti-viruses.
  • Test of 3d reality
  • Zzzzz...|;)) Photo collection
  • ;)|Try it! ;)))
  • It is nothing!
  • Achtung!|Matrix has you!
  • Achtung!|Commwarrior has you!
  • -!-|Matrix has you again!
  • Use condom or try it...
  • Keep out!
  • Do not install this :)
  • It is nothing.
  • I am sure. Don't worry.
  • a condom for your phone..
  • software
  • application
  • cool stuff
  • cool!
  • antivirus
  • animation
  • test program
  • test youself
  • virus terminator, best release
  • sky test
  • task spy
  • help collection
  • documents
  • Images
  • read this!
  • it is easy!
  • read this and send to friends
  • audio
  • sound
  • nice 3d sound
  • popular ringtones collection
  • Achtung
  
  
  Flash Card Propagation
  
  
• If a flash card is inserted in the phone, the worm infects it by copying itself into the system directory along with an MDL file so that the worm is executed when the card is inserted in an S60 device.
  
  
  Backdoor and/or Trojan Behavior
  
  
• Opens a browser and shows a web page randomly.
  
  
• Searches the system installs subdirectories, where application SIS files are stored when they are installed. It then corrupts them by stripping away part of their data, making them unusable.
  
  
• The following text strings can be found in the virus body:

  CommWarrior Outcast: The Dark Masters of Symbian. The Dark Side has more power! CommWarrior v3.0 Copyright (c) 2005-2006 by e10d0r CommWarrior is freeware product. You may freely distribute it in it's original unmodified form. OTMOP03KAM HET!

Recommended Action

FortiGate systems:


• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.