Virtual Sex with Commwarrior

Now that I have your attention :) well Commwarrior is a worm that is spreading to Bluetooth based Cellular phones. Actually it spreads to Symbian Series 60 devices using MMS and Bluetooth communication.

MMS, for those that don’t know, stands for “Multimedia Messaging System”, a younger brother of SMS, that allows 3G cellular phones to send short sounds, movie clips and other multimedia as a message that looks like SMS, using the Internet Message Format (RFC 2822) . MMS starting to be highly popular like many other gimmicks of the 3rd generation and the world of cellular phones.

Anyway, as far as I could find, there are two versions of Commwarrior, both of them spread by “Virtual Sex”. It does so by looking for Bluetooth phones near by, and sending them infected SIS file. The SIS files that Comwarrior sends are named with random file names, so you can’t just ignore a certain file name and be safe.

Regardless of Bluetooth, the worm also tries to send MMS with itself to all of the phones listed on the contact/address books.

Here some details from F-Secrue about the worm:

The Comwarrior contains the following texts:

CommWarrior v1.0 (c) 2005 by e10d0r
ATMOS03KAMA HEAT!

The text “OTMOP03KAM HET!” is Russian and means roughly “No to braindeads”.

Replication over bluetooth

Comwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable commwarrior.exe and boot component commrec.mdl.

The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.

When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the commwarrior will search for another phone.

The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and depending on the variant will either look another variant after losing contact or stay locked.

The Comwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range. And possible spreading faster than Cabir.

Commwarrior replicates over Bluetooth only from 08:00 to 23:59, based on the phone’s own clock.

Replication over MMS

Comwarrior replicates over MMS by sending MMS messages that contain infected SIS file to other users. The MMS messages contain variable text message and Comwarrior SIS file with filename commw.sis.

Unlike in bluetooth spreading the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.

The numbers where Commwarrior sends the MMS messages are read from the phone address book.

The comwarrior uses following texts in MMS spreading:

MatrixRemover
Matrix has you. Remove matrix!

3DGame
3DGame from me. It is FREE !

MS-DOS
MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!

PocketPCemu
PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Nokia ringtoner
Nokia RingtoneManager for all models.

Security update #12
Significant security update. See www.symbian.com

Display driver
Real True Color mobile display driver!

Audio driver
Live3D driver with polyphonic virtual speakers!

Symbian security update
See security news at www.symbian.com

SymbianOS update
OS service pack #1 from Symbian inc.

Happy Birthday!
Happy Birthday! It is present for you!

Free SEX!
Free *SEX* software for you!

Virtual SEX
Virtual SEX mobile engine from Russian hackers!

Porno images
Porno images collection with nice viewer!

Internet Accelerator
Internet accelerator, SSL security update #7.

WWW Cracker
Helps to *CRACK* WWW sites like hotmail.com

Internet Cracker
It is *EASY* to *CRACK* provider accounts!

PowerSave Inspector
Save you battery and *MONEY*!

3DNow!
3DNow!(tm) mobile emulator for *GAMES*.

Desktop manager
Official Symbian desctop manager.

CheckDisk
*FREE* CheckDisk for SymbianOS released!MobiComm
Norton AntiVirus
Released now for mobile, install it!

Dr.Web
New Dr.Web antivirus for Symbian OS. Try it!

Infection

When the Comwarrior SIS file is installed the installer will copy the worm executables into following locations:

\system\apps\CommWarrior\commwarrior.exe
\system\apps\CommWarrior\commrec.mdl

When the comwarrior.exe is executed it copies the following files:

\system\updates\commrec.mdl
\system\updates\commwarrior.exe

And rebuilds it’s SIS file to:

\system\updates\commw.sis

After recreating the SIS file the worm starts spreading over MMS.

Commwarrior replicates over MMS only from 00:00 to 06:59, based on the phone’s own clock.

For reference please look at:
F-Secure Commwarrior.A
F-Secure Commwarrior.B
MMS
rfc2822
Some Bluetooth stuff
Bluetooth specs

Share
  • http://tsbedi.orgunderconstruction tejinder singh bedi

    how to delete infections caused by Symbian0(TM) CommWarrior Version 1.0.0 and Internet Accelerator SSL Security Update#7

    AND MORE IMPORTANTLY HOW CANONE TRACK OR TRACE SENDER’s DETAILS/CONTACTS

    Kindly advise by email if possible thanks nregards