Threat Encyclopedia

SYMBOS_COMWAR.A

Malware type: Symbian

Aliases: Worm.SymbOS.Comwar.a (Kaspersky), SymbOS/Commwarrior.a!sis (McAfee), SymbOS.Commwarrior.B (Symantec), SYMBOS/Comwarrior.K (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Symbian OS Series 60

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Low

Description: 

This Symbian malware can infect mobile devices running Symbian OS. It may be downloaded from certain Web site as the archive file COMMWARRIOR.ZIP, which contains the malware installer COMMWARRIOR.SIS. It propagates via Bluetooth using random file names. It may also spread by sending MMS messages with predefined contents.

Upon execution on a mobile device, this malware installs itself by dropping the following files:

  • C:\system\apps\CommWarrior\commwarrior.exe
  • C:\system\apps\CommWarrior\commrec.mdl

This malware affects mobile phones running Symbian OS Series 60, such as the following:

  • Nokia 3650, 3600
  • Nokia 3660, 3620
  • Nokia 6600
  • Nokia 6620
  • Nokia 7610
  • Nokia 7650
  • Nokia N-Gage
  • Panasonic X700
  • Sendo X
  • Siemens SX1

For additional information about this threat, see:

Description created: Mar. 7, 2005 6:07:21 PM GMT -0800
Description updated: Mar. 31, 2005 2:38:21 AM GMT -0800


TECHNICAL DETAILS


File type: EPOC

Memory resident:  Yes

Size of malware: 32,768 bytes

Initial samples received on: Mar 7, 2005

Details:

This Symbian malware can infect mobile devices running Symbian OS. It may be downloaded from certain Web site as the archive file COMMWARRIOR.ZIP, which contains the malware installer COMMWARRIOR.SIS. It propagates via Bluetooth using random file names.

When it arrives, the following message, which warns the user of the possible malicious nature of the file, appears before finally being installed:

Receive message via Bluetooth from Bluetooth device?

Accepting the message allows the malware copy to enter the Inbox:

Inbox

The following messages then appear, further warning the user of the malicious nature of the file:

Install only if you trust provider.

Install CommWarrior?

Once installed and active, it drops the following files:

  • C:\system\apps\CommWarrior\commwarrior.exe
  • C:\system\apps\CommWarrior\commrec.mdl

These files can then be viewed from the list of applications:

C:\system\apps\CommWarrior

C:\system\apps\CommWarrior

After several delays, it also drops the following components:

  • C:\system\updates\commwarrior.exe
  • C:\system\updates\commrec.mdl
  • C:\system\updates\commw.sis
  • C:\system\recogs\commrec.mdl

MMS Propagation

This malware attempts to spread via MMS messages. It is the first Symbian malware that attempts to use this propagation routine.

It attempts to create an MMS that contains any of the following details:

Subject: Norton AntiVirus
Message: Released now for mobile, install it!

Subject: 3DGame
Message: 3DGame from me. It is FREE !

Subject: 3DNow!
Message: 3DNow!(tm) mobile emulator for *GAMES*.

Subject: Audio driver
Message: Live3D driver with polyphonic virtual speakers!

Subject: CheckDisk
Message: *FREE* CheckDisk for SymbianOS released!MobiComm

Subject: Desktop manager
Message: Official Symbian desctop manager.

Subject: Display driver
Message: Real True Color mobile display driver!

Subject: Dr.Web
Message: New Dr.Web antivirus for Symbian OS. Try it!

Subject: Free SEX!
Message: Free *SEX* software for you!

Subject: Happy Birthday!
Message: Happy Birthday! It is present for you!

Subject: Internet Accelerator
Message: Internet accelerator, SSL security update #7.

Subject: Internet Cracker
Message: It is *EASY* to *CRACK* provider accounts!

Subject: MS-DOS
Message: MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!

Subject: MatrixRemover
Message: Matrix has you. Remove matrix!

Subject: Nokia ringtoner
Message: Nokia RingtoneManager for all models.

Subject: PocketPCemu
Message: PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Subject: Porno images
Message: Porno images collection with nice viewer!

Subject: PowerSave Inspector
Message: Save you battery and *MONEY*!

Subject: Security update #12
Message: Significant security update. See www.symbian.com

Subject: Symbian security update
Message: See security news at www.symbian.com

Subject: SymbianOS update
Message: OS service pack #1 from Symbian inc.

Subject: Virtual SEX
Message: Virtual SEX mobile engine from Russian hackers!

Subject: WWW Cracker
Message: Helps to *CRACK* WWW sites like hotmail.com

It also attempts to attach a copy of its .SIS installer in these MMS messages. A sample MMS message by the malware may look as follows:

SYMBOS_COMWAR.A sample MMS message

This malware affects mobile phones running Symbian OS Series 60, such as the following:

  • Nokia 3650, 3600
  • Nokia 3660, 3620
  • Nokia 6600
  • Nokia 6620
  • Nokia 7610
  • Nokia 7650
  • Nokia N-Gage
  • Panasonic X700
  • Sendo X
  • Siemens SX1

Other Details

This malware contains the following strings in its codes:

� BAFL[10003a0f].DLL
� BLUETOOTH.DLL
� EFSRV[100039e4].DLL
� ESOCK[10003d3f].DLL
� EUSER[100039e5].DLL
� IROBEX[10003d57].DLL
� MSGS[10004e66].DLL
� PBKENG[101f4cce].DLL
� PLPVARIANT[10009b13].DLL
� SDPAGENT[10009222].DLL
� SDPDATABASE[10009220].DLL

Moreover, its code contains the following message:

CommWarrior v1.0 (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.
OTMOP03KAM HET!

Analysis By: Michael de Leon Lactaotao

Revision History:

First pattern file version: 2.479.02
First pattern file release date: Mar 07, 2005

SOLUTION


Minimum scan engine version needed: 7.500

Pattern file needed: 4.614.06

Pattern release date: Jul 24, 2007


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

TMMS 1.0 for Symbian/UIQ information

  • Product Version 1.0.1085
  • Scan engine: 7.460-1003
  • Virus Pattern: 1.107.00

TREND MICRO MOBILE SECURITY SOLUTION

I. Using the Trend Micro Mobile Security Solution (for proactive detection in uninfected phones)

  1. Download the latest Trend Micro Mobile Security Solution from this site.
  2. Connect the device to the computer using available file transfer connection such as USB cable or bluetooth device.
    1. For USB cable:
      • Make sure the device and your computer have established proper connection.
      • Execute the TMMS cleaner from your computer to start installation.
      • Install the TMMS cleaner.
    2. For bluetooth device:
      • Make sure the device and your computer have established proper connection via bluetooth.
      • Transfer the TMMS cleaner file to the phone device.
      • Execute the TMMS cleaner from the phone device for installation.
  3. Restart the phone device.
  4. To verify if the device is cleaned, the following dropped files should have been deleted:
    • Commrec.mdl (2.1KB)
    • Commwarrior.exe (23.9 KB)

II. Using SYMBOS_COMWAR.A Clean Tool (for systems already infected)

Trend Micro has released SYMBOS_COMWAR Clean Tool, which terminates the active malware process automatically removes this malware from infected devices.

Download the SYMBOS_COMWAR Clean Tool and install into a memory card with an uninfected device.

(Note: Choose to install in the memory card instead of the phone memory.) Put the memory card with SYMBOS_COMWAR Clean Tool into the infected device. Start up the infected device. This will terminate the active malware process, and automatically remove this malware from the infected device.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

  1. Choose the malware file from the list of applications.

    Choose malware file.

  2. Choose Cancel or Remove to terminate the process.

    Choose malware file.

Deleting Malware Files

  1. Download a file manager into the affected device.
  2. Delete the following folder using the file manager:
    System drive%\system\apps\CommWarrior
  3. Delete also the following files:
    • C:\system\updates\commwarrior.exe
    • C:\system\updates\commrec.mdl
    • C:\system\updates\commw.sis
    • C:\system\recogs\commrec.mdl
    (Note: %System drive% is the default system drive, which is usually drive C. Also, if you were not able to delete the malware files, as described in the previous procedure, restart your device.)

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as SYMBOS_COMWAR.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on