Commwarrior | |
---|---|
Type | Multi-vector worm |
Creator | e10d0r |
Date Discovered | 2005.03.07 |
Place of Origin | Russia |
Source Language | |
Platform | Symbian |
File Type(s) | .sis |
Infection Length | |
Reported Costs |
Commwarrior is the first mobile phone worm to send a copy of itself via an MMS message. Previous mobile phone worms, such as Caribe and Lasco sent themselves only to nearby phones over Bluetooth.
Behavior
Commwarior arrives on a system through an MMS message. It may also come through Bluetooth as a random file name with a .sis extension. When it comes through MMS, there are 23 possible subject lines and message bodies, however the file is always named commw.sis.
- Subject: Norton AntiVirus Message: Released now for mobile, install it!
- Subject: 3DGame Message: 3DGame from me. It is FREE !
- Subject: 3DNow! 'Message:' 3DNow!(tm) mobile emulator for *GAMES*.
- Subject: Audio driver Message: Live3D driver with polyphonic virtual speakers!
- Subject: CheckDisk Message: *FREE* CheckDisk for SymbianOS released!MobiComm
- Subject: Desktop manager Message: Official Symbian desctop manager.
- Subject: Display driver Message: Real True Color mobile display driver!
- Subject: Dr.Web Message: New Dr.Web antivirus for Symbian OS. Try it!
- Subject: Free SEX! Message: Free *SEX* software for you!
- Subject: Happy Birthday! Message: Happy Birthday! It is present for you!
- Subject: Internet Accelerator Message: Internet accelerator, SSL security update *7.
- Subject: Internet Cracker Message: It is *EASY* to *CRACK* provider accounts!
- Subject: MS-DOS Message: MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
- Subject: MatrixRemover Message: Matrix has you. Remove matrix!
- Subject: Nokia ringtoner Message: Nokia RingtoneManager for all models.
- Subject: PocketPCemu Message: PocketPC *REAL* emulator for Symbvian OS! Nokia only.
- Subject: Porno images Message: Porno images collection with nice viewer!
- Subject: PowerSave Inspector Message: Save you battery and *MONEY*!
- Subject: Security update *12 Message: Significant security update. See www.symbian.com
- Subject: Symbian security update Message: See security news at www.symbian.com
- Subject: SymbianOS update Message: OS service pack *1 from Symbian inc.
- Subject: Virtual SEX Message: Virtual SEX mobile engine from Russian hackers!
- Subject: WWW Cracker Message: Helps to *CRACK* WWW sites like hotmail.com
When executed, the worm places several files in different directories. In \system\updates it places commwarrior.exe and commrec.mdl. In \system\apps\ it creates the subdirectory commwarrior and places two files with the same name as in \system\updates. In \system\recogs\ it places commrec.mdl. In \system\updates it places a rebuilt version of itself as the name commw.sis.
The worm then searches for Bluetooth enabled devices and attempts to send a randomly named copy of itself with a .sis extension. Commarrior then chooses a random phone number from the device phonebook and sends an MMS message with itself added as the attachment commw.sis.
It contains text indicating its creator and origin:
A l r e a d y a c t i v e
CommWarrior v1.0 (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.
OTMOP03KAM HET!
The word "отморозкам" (pronounced otmorozkam) is Russian for stupid people, scumbags or goons and "нет" (nyet) is no.
Variants
Commwarrior.B was discovered in Finland in late May 2005. A user in Finland found his device had become infected with the worm, and was invited to the F-Secure lab to come with his phone. F-Secure analyzed the phone in a radio shielded lab and discovered it was infected with the .B variant. The phone was soon disinfected at the lab.
It also contains some text:
CommWarrior Outcast: The dark side of Symbian Force.
CommWarrior v2.0-PRO. Copyright (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it
in it's original unmodified form.
With best regards from Russia.
OTMOP03KAM HET!
Origin
Commwarrior almost certainly comes from Russia, as text in the first variant is in Russian, and the text in the second varint pretty much confirms it comes from Russia. However, discussions of an MMS worm began on a Serbian forum in January of 2005. No Serbian connection to the worm itself has been discovered.
Effects
Commwarrior was known to be wild in Finland, home of Nokia (at the time they made mostly Symbian-based mobile phones). In the Phillipines, a Phillipine Star reporter had a phone that became infected with the worm. On May 6, Greece became the 21st country with a Commwarrior sighting. It was also sighted in several other countries including Ireland, India, Oman, Italy and South Africa.
Sources
Frederic Perriot, Peter Ferrie. Symantec, SymbOS.Commwarrior.A. 2007.02.13
F-Secure Antivirus, Worm:SymbOS/Commwarrior.
Eden Estopace. The Phillipine Star, CommWarrior unleashed!. 2005.03.19