!
SymbOS/Commwarrior.CTrojan SubType PDA Device Discovery Date 10/13/2005 Length Minimum DAT 4605 (10/14/2005) Updated DAT 4605 (10/14/2005) Minimum Engine N/A Description Added 10/14/2005 Description Modified 10/17/2005 2:02 PM (PT) Type Type of threat.
SubType Additional type information.
Discovery Date Date that AVERT discovered this threat.
Length File size, in bytes, of the threat.
Minimum DAT McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Description Added Date/time this description was published using Pacific Time.
Description Modified Date/time this description was last modified using Pacific Time.
Risk Assessment
Corporate User Low
Home User Low Tab NavigationOverview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
CharacteristicsCharacteristics -
SymbOS/Commwarrior.C is a new variant of the SymbOS/Commwarrior.A worm. It is an enhanced version of Commwarrior.A
The most important enhancements Commwarrior.C possesses over Commwarrior.A is that Commwarrior.C possesses a self-repairing and self-protection scheme.
SymptomsSymptoms -
Rapid battery drain Propagates via MMS to addresses in the user address book Propagates to nearby Bluetooth devices SymbOS/Commwarrior.C is distributed in a SIS file named “SymCommander_1_06.sis ”. This malware also travels via Bluetooth (referred to as “Network form” , hereafter) in a randomly named SIS file.
When distributed in the original SIS file , SymbOS/Commwarrior.C is set to be run upon install. The SIS file also installs a pirated copy of a 3rd party file manager.
When distributed in its network form, SymbOS/Commwarrior.C is also set to be run upon install. It claims to be a program entitled “CWOutcast ”.
Upon install, SymbOS/Commwarrior.C makes copies of itself and its SIS file to C:\System\Bootdata\lib and, if a memory card is installed, to E:\System\Bootdata\lib. It also copies its boot-hook ( cworec.mdl ) to C:\system\recogs and E:\system\recogs .
SymbOS/Commwarrior.C has a built in self-protection scheme:
If a boot hook is deleted, it will be replaced by the running worm If SymbOS/Commwarrior.C is deleted, its boot hook will replace the files If the cached copies of the malware are deleted, the device will reboot and then the MDL will replace the files. Its process is protected
Propagation via MMS has not been confirmed at this time.
SymbOS/Commwarrior.C contains slightly different text from Commwarrior.A:
CommWarrior Outcast: The dark side of Symbian Force.
CommWarrior v2.0-PRO. Copyright (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it
in it's original unmodified form.
With best regards from Russia
OTMOP03KAM HET!
Method of InfectionMethod of Infection -
This malware requires that the user intentionally install it upon the device. As always, users should never install unknown or un-trusted software. This is especially true for illegal software, such as cracked applications—they are a favorite vector for malware infection.
Removal - Removal -
-
VariantsVariants -
N/A
This virus arrives on your phone as a sis file attached to a Bluetooth or MMS message, it may also arrive disguised as an installer for SymCommander or on an infected MMC card. Once installed on your phone, it sends itself to all Bluetooth devices in range, sends itself via MMS to all your contacts and spreads via MMC.
SymbOS/CommWarrior.C is a Symbian worm that propagates via Bluetooth networks, Multimedia Messaging Services (MMS), and Multimedia cards (MMC).
Arrival and Installation
CommWarrior.C arrives disguised as a trojanized installer for SymCommander, a file and disk management tool for Symbian.
It appears in the phone’s menu with the SymCommander icon:
Once installed, it drops the following components:
!:\system\apps\SymCommander\cwoutcast.exe
!:\system\apps\SymCommander\SymCommander.rsc
!:\system\apps\SymCommander\SymCommander.aif
!:\system\apps\SymCommander\SymCommander.app
c:\system\apps\SymCommander\SymCommander
* ! siginifies a user-defined drive (C or E)
cwoutcast.exe is immediately executed and it in turn drops the following files:
!:\system\Bootdata\lib\cwoutcast.exe
!:\system\recogs\cwrec.mdl
It also creates a randomly named SIS file which is a copy of SymbOS/CommWarrior.C. This SIS file is also dropped in the !:\system\apps\SymCommander\ and !:\system\Bootdata\lib\ folders and is used as the attachment during propagation.
When CommWarrior.C is active, the infected phone gets automatically rebooted at set intervals.
Propagation
Once installed and running, CommWarrior.C searches for available Bluetooth devices.
When it finds a target, it sends a copy of its SIS installer via Bluetooth:
Opening this message immediately installs the worm.
After a successful Bluetooth transfer, CommWarrior.C immediately searches for and infects new targets. Thus, it has the capability of quickly spreading and infecting all vulnerable phones within Bluetooth range.
CommWarrior.C also spreads via MMS messages. It monitors the device for incoming SMS messages and sends an infected MMS as a reply to intercepted messages. The reply has for its message body a copy of the original message received and the CommWarrior.C installer as attachment. Here is a copy of an intercepted MMS message being sent by CommWarrior.C:
CommWarrior.C also spreads through MMC cards. When one is inserted in an infected phone, the following components are copied onto the card:
e:\system\Bootdata\lib\cwoutcast.exe
e:\system\recogs\cwrec.mdl
When the infected MMC is then inserted into a clean device, it executes cwoutcast.exe and infects the new device.
Other Details
The following different sets of strings can be seen in its code:
CommWarrior Outcast: The dark side of Symbian Force.
CommWarrior v2.0-PRO. Copyright (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.
With best regards from Russia.
SymbOS/CommWarrior.C only affects phones running Symbian S60 phones.
Manual Disinfection
Scan your mobile device using UMU Scan and delete all files detected as SymbOS/CommWarrior.C.
Reboot your device to kill malware residue processes.
Download a third party File Explorer.
Locate and delete the following files and folders if they exist:
!:\system\apps\SymCommander\cwoutcast.exe
!:\system\apps\SymCommander\SymCommander.rsc
!:\system\apps\SymCommander\SymCommander.aif
!:\system\apps\SymCommander\SymCommander.app
c:\system\apps\SymCommander\SymCommander
!:\system\Bootdata\lib\cwoutcast.exe
!:\system\recogs\cwrec.mdl
* ! siginifies a user-defined drive (C or E)
Re-install SymCommander from a clean installer if needed.
