Visible Symptoms
- When this threat is received by an applicable Series
60 phone running Symbian OS version 6 [or higher],
a prompt is displayed asking the recipient if they
want to install "Caribe"
- An infected phone may experience rapid battery power
loss due to the constant efforts by the virus to infect
other phones via a Bluetooth seek-and-connect outreach
- Creation of these files in the relative system path
on an infected phone -
\system\apps\CommWarrior\commwarrior.exe
\system\apps\CommWarrior\commrec.mdl
\system\updates\commrec.mdl
\system\updates\commwarrior.exe
\system\updates\commw.sis
Detailed AnalysisThis threat contains these strings that are not displayed
at any time -
CommWarrior
v1.0b (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute
it in it's original unmodified form.
OTMOP03KAM HET!
This is a virus for Series 60 type cell phones operating
Symbian OS version 6 [or higher], such as Nokia among
other brands. The object of the virus is to spread to
other phones using Bluetooth and MMS as transport avenues.
The targets are selected from the contact list of the
infected phone and also sought via Bluetooth searching
for other Bluetooth-enabled devices (phones, printers,
gaming devices etc.) in the proximity of the infected
phone.
This virus is slightly more than a proof of concept
- it has proven successfully its ability to migrate
from a zoo collection to being in-the-wild. Currently,
this virus is being reported in over 18 different countries
around Europe, Asia and North America.
Initially upon installing itself (after the recipient
grants authorization to receive and run the "application"),
the virus will copy itself as the following files -
\system\recogs\commrec.mdl
\system\updates\commrec.mdl
\system\updates\commwarrior.exe
\system\updates\commw.sis |
2,152 bytes
2,152 bytes
24,516 bytes
27,162 bytes |
"app" loader
"app" loader
virus program
package |
The "recogs" folder commonly stores programs
known as "recognizers". The recognizer in
this case is "commrec.mdl".
Load at phone bootup
When the phone powers on, the loader runs CommWar as
"commwarrior.exe" from its installed location.
CommWar will read from the phone contact list and attempt
to send itself using MMS
MMS distribution
The virus attempts to send itself to contacts found
on the infected phone using MMS. The message itself
contains MIME instruction for the receiving application
of how to treat the attachment -
application/vnd.symbian.install
The receiving phone may receive one of several hard-coded
messages - the actual message depends on which one the
virus chooses, based on a randomizer routine. The following
are examples of what a targeted phone may expect to
receive (subject, message) -
Norton AntiVirus
Released now for mobile, install it!
Dr.Web
New Dr.Web antivirus for Symbian OS. Try it!
MatrixRemover
Matrix has you. Remove matrix!
3DGame
3DGame from me. It is FREE !
MS-DOS
MS-DOS emulator for SymbvianOS. Nokia series 60 only.
Try it!
PocketPCemu
PocketPC *REAL* emulator for Symbvian OS! Nokia only.
Nokia ringtoner
Nokia RingtoneManager for all models.
Security update #12
Significant security update. See www.symbian.com
Display driver
Real True Color mobile display driver!
Audio driver
Live3D driver with polyphonic virtual speakers!
Symbian security update
See security news at www.symbian.com
SymbianOS update
OS service pack #1 from Symbian inc.
Happy Birthday!
Happy Birthday! It is present for you!
Free SEX!
Free *SEX* software for you!
Virtual SEX
Virtual SEX mobile engine from Russian hackers!
Porno images
Porno images collection with nice viewer!
Internet Accelerator
Internet accelerator, SSL security update #7.
WWW Cracker
Helps to *CRACK* WWW sites like hotmail.com
Internet Cracker
It is *EASY* to *CRACK* provider accounts!
PowerSave Inspector
Save you battery and *MONEY*!
3DNow!
3DNow!(tm) mobile emulator for *GAMES*.
Desktop manager
Official Symbian desctop manager.
CheckDisk
*FREE* CheckDisk for SymbianOS released!MobiComm
MobiComm, Mobile communications
inspector. Try it!
The MMS message will have an attachment of a randomized
name with a .SIS extension. If the user runs the attached
file, it will install the virus.
The .SIS file contains the full path used when the
virus is extracted. The virus and loader are installed
to this locale -
\system\apps\CommWarrior\
Bluetooth distribution
The virus also has the ability to seek Bluetooth-enabled
devices. Devices found could receive numerous messages
asking to install "Caribe". The request is
persistent and annoying. It is important to note that
phones that have not been configured to allow connection
via this seek-and-find method are not susceptible to
this attack. |