Virtual Sex with Commwarrior
Now that I have your attention well Commwarrior is a worm that is spreading to Bluetooth based Cellular phones. Actually it spreads to Symbian Series 60 devices using MMS and Bluetooth communication.
MMS, for those that don’t know, stands for “Multimedia Messaging System”, a younger brother of SMS, that allows 3G cellular phones to send short sounds, movie clips and other multimedia as a message that looks like SMS, using the Internet Message Format (RFC 2822) . MMS starting to be highly popular like many other gimmicks of the 3rd generation and the world of cellular phones.
Anyway, as far as I could find, there are two versions of Commwarrior, both of them spread by “Virtual Sex”. It does so by looking for Bluetooth phones near by, and sending them infected SIS file. The SIS files that Comwarrior sends are named with random file names, so you can’t just ignore a certain file name and be safe.
Regardless of Bluetooth, the worm also tries to send MMS with itself to all of the phones listed on the contact/address books.
Here some details from F-Secrue about the worm:
The Comwarrior contains the following texts:
CommWarrior v1.0 (c) 2005 by e10d0r
The text “OTMOP03KAM HET!” is Russian and means roughly “No to braindeads”.
Replication over bluetooth
Comwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable commwarrior.exe and boot component commrec.mdl.
The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.
When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the commwarrior will search for another phone.
The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and depending on the variant will either look another variant after losing contact or stay locked.
The Comwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range. And possible spreading faster than Cabir.
Commwarrior replicates over Bluetooth only from 08:00 to 23:59, based on the phone’s own clock.
Replication over MMS
Comwarrior replicates over MMS by sending MMS messages that contain infected SIS file to other users. The MMS messages contain variable text message and Comwarrior SIS file with filename commw.sis.
Unlike in bluetooth spreading the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.
The numbers where Commwarrior sends the MMS messages are read from the phone address book.
The comwarrior uses following texts in MMS spreading:
Matrix has you. Remove matrix!
3DGame from me. It is FREE !
MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
PocketPC *REAL* emulator for Symbvian OS! Nokia only.
Nokia RingtoneManager for all models.
Security update #12
Significant security update. See www.symbian.com
Real True Color mobile display driver!
Live3D driver with polyphonic virtual speakers!
Symbian security update
See security news at www.symbian.com
OS service pack #1 from Symbian inc.
Happy Birthday! It is present for you!
Free *SEX* software for you!
Virtual SEX mobile engine from Russian hackers!
Porno images collection with nice viewer!
Internet accelerator, SSL security update #7.
Helps to *CRACK* WWW sites like hotmail.com
It is *EASY* to *CRACK* provider accounts!
Save you battery and *MONEY*!
3DNow!(tm) mobile emulator for *GAMES*.
Official Symbian desctop manager.
*FREE* CheckDisk for SymbianOS released!MobiComm
Released now for mobile, install it!
New Dr.Web antivirus for Symbian OS. Try it!
When the Comwarrior SIS file is installed the installer will copy the worm executables into following locations:
When the comwarrior.exe is executed it copies the following files:
And rebuilds it’s SIS file to:
After recreating the SIS file the worm starts spreading over MMS.
Commwarrior replicates over MMS only from 00:00 to 06:59, based on the phone’s own clock.