SymbOS/Comwar.v20pro!worm

Alias/esSymb/Comwar-C, SymbOS/Commwarrior.C, SymbOS/Commwarrior.c!exe, SymbOS/Comwar.C!wm, SymbOS/Comwar.C-net, SYMBOS_COMWAR.C, Worm.SymbOS.Comwar.c, SymbOS/Comwar.C!worm
Release DateFeb 23, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

  • This variant includes an EPOC executable with .EXE extension and named as "cwoutcast.exe"

  • This virus spreads to Series 60 mobile devices that run Symbian operating system.

Detailed Analysis

This threat may arrive as an installable Symbian archive file (with .SIS file extension). The recipient will first notice a request to receive the "program" (virus) in the form of a simple question dialogue window. The message may be similar to the one below -

Receive message via Bluetooth from %phone model%?
Yes
No

The virus is persistent such that even after pressing "No" that multiple requests could be received in numerous requests. The barrage of requests could prove to be too many and quite annoying to mobile device owners receiving the request, and could subsequently give in and allow the virus to be received and thus installed, infecting the device.

Upon installation, the virus will create a subfolder in the "System\Apps" folder -

system\apps\symcommander

In this folder, the virus will drop two Symbian executable files (and two related files) -

cwoutcast.exe (40,432 bytes)
symcommander.app (27,040 bytes)

symcommander.aif (806 bytes)
symcommander.rsc (409 bytes)

This virus file uses two general spreading methods - using Bluetooth and MMS. In order to use both, the virus uses imports from several system .DLLs in order to help spread to other phones -

Bluetooth wireless libraries
BLUETOOTH.DLL
SDPAGENT.DLL
SDPDATABASE.DLL

Telephony server libraries
ETEL.DLL
GSMBAS.DLL - GSM extension
GSMU.DLL - GSM MMS Stack

IrDA libraries
IROBEX.DLL - IrDA object exchange protocol

The virus seeks phones nearby using Bluetooth protocol. For every device found, the virus will send attempt to send itself to that device. The virus also browses the phone contact list and sends an MMS message containing a copy of the virus to the contacts listed. The MMS message attachment is a randomly named .SIS Symbian installer containing a copy of the virus.

Miscellaneous
The virus file "cwoutcast.exe" contains the following strings -

CommWarrior Outcast: The dark side of Symbian Force.
CommWarrior v2.0-PRO. Copyright (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it
in it's original unmodified form.
With best regards from Russia.

OTMOP03KAM HET!

The virus file "symcommander.app" contains the following strings -

Symbian Commander
Version 1.05
A.Prokofiev
UNTEH 2005

 

 

Description Last Updated Date: Mar 11, 2008
Reference: ID - 432699