Home / malware Commwarrior.Q
First posted on 13 September 2006.
Source: SecurityHomeAliases :
Commwarrior.Q is also known as CW3, SymbOS/Commwarrior.Q, CommWarrior worm v3.0.
Explanation :
ommwarrior.Q is a new variant of the Commwarrior worm that is based on Commwarrior.C. Unlike most Commwarrior variants, Commwarrior.Q is a recompiled version that contains new functionality.
Like Commwarrior.C, Commwarrior.Q spreads over bluetooth, MMS messages, and to any memory card that is inserted into the infected phone. Unlike Commwarrior.C, Commwarrior.Q will also search for any SIS files in the phone or memory card and will infect those SIS files with itself.
The SIS files sent by the infected phone have only the Commwarrior executable component. The SIS files are of random size and have a display application name that is taken from an internal list within the Commwarrior executable.
When Commwarrior.Q is active on the phone it will randomly display an HTML page with the phone's web browser.
Commwarrior.Q affects only Symbian Series 60 phones that use Symbian OS version 8.1 or older. This means that the latest model of phones that will be affected is the Nokia N72. Phones using Symbian OS 9.0, such as the Nokia E70 or 3250, will not be affected.
The HTML page contains following text:
Introduction
Surprise! Your phone infected by CommWarrior worm v3.0. Matrix has you, CommWarrior inside. No panic please, is it very interesting to have mobile virus at own phone. This worm does not bring any harm to your phone and your significant data.
About CommWarrior
CommWarrior worm for Nokia Series60 provides automatic real-time protection against harmful Anti-Virus content. CommWarrior is free software and is distributed in the hope that it will be useful, without any warranty.
Thank you for using CommWarrior.
CommWarrior © 2005-2006 by e10d0r
Infection
When the Commwarrior.Q SIS file is installed, it will drop the its executable with a random name, for example 5k8jb1fo.exe, either into C: or to a directory that has a random name such as C:uqxo5dh7xtyc5.
Installation
When the Commwarrior.Q executable is executed it will copy itself to C:SystemLibscw.exe and will create a bootstrap file to C:SystemRecogscw3rec.mdl. If a memory card is present then the same files are created also to the memory card.
Replacing operator logo
Commwarrior.Q creates a bitmap file with the name used by the current operator into C:systemAppsPhoneoplogo
This bitmap file is then shown instead of the operator logo when the phone is on the network.
Generating SIS installation packages to send to other devices
Commwarrior.Q replicates in SIS installation packages over Bluetooth and MMS in same manner as previous variants.
SIS files created by Commwarrior.Q have a random name, for example, anyrah5y.sis or xyr88b0muh7.sis.
A Commwarrior.Q SIS file contains the worm main that has random name and is either in C: or randomly named directory.
SIS files created by Commwarrior.Q have a random size between 32100 and 32200 bytes.
Unlike previous variants of Commwarrior, Commwarrior.Q does not use a static product name that is shown during installation.
Previous variants always showed the same name, thus making them easy to identify. The Commwarrior.Q contains an internal list of
strings that is used to generate random, but plausible looking filenames.
The filenames are composed of three component string arrays that are stored in the main binary in obfuscated form.
The string arrays are:
smart,nokia,symbian,nice,fatal,cool,c00l,virtual,final,safe,
abstract,static,zend,jedi,trend,micro,mega,hard,nice,good,lost
www,web,wap,e-mail,mail,game,graphics,java,hood,sex,max,
audio,memory,RAM,ROM,HDD,WinAmp,jedi,hardware,display,keyboard,key
antivirus,anti-virus,guard,fucker,hacker,cracker,checker,driver,manager,uninstaller,
remover,engine,tool,machine,box,stuff,videoplayer,player,trust,ringtone,
explorer,timer,game,AppMan,recorder,dictaphone,team,images,calculator,objects,documents,clips,docs
Replication over Bluetooth
Comwarrior.Q replicates over Bluetooth in SIS files that have a random name, for example, anyrah5y.sis or xyr88b0muh7.sis.
The SIS file contains the worm main that has a random name and is either in C: or randomly named directory.
The SIS file contains autostart settings that will automatically execute Commwarrior.Q after the SIS file is installed.
When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones
targeting several phones at one attempt.
If a target phone goes out of range or rejects file transfer, commwarrior will search for another phone.
The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and
depending on the variant will either look another variant after losing contact or stay locked.
The Comwarrior worm will constantly look for new targets, thus it is able to contact all phones in range.
Replication over MMS
Commwarrior.Q uses three strategies for spreading over MMS messages.
First, when Commwarrior.Q starts, it starts to go through the phone's address book and sends MMS messages to phone numbers that are marked as a mobile phone.
Commwarrior.Q listens on any arriving MMS or SMS messages and replies to those messages with an MMS message containing the Commwarrior.Q SIS file.
The worm also listens for any SMS messages being sent by the user and sends an MMS message to the same number, right after the SMS message.
The texts in MMS messages sent by Commwarrior.Q contain texts that are stored in the phone Messaging Inbox, thus the messages that Commwarrior.Q sends are texts that the receiving user might expect from the sender.
Displaying HTML Page
After Commwarrior.Q has infected the phone it will, after a random delay, create an HTML page that it will display itself to the user using the phone's default browser. The HTML page is created into directory C:systemLibscwinfo.html
Replication to MMC Card
Commwarrior.Q "listens" for any MMC cards to be inserted into the infected phone, and copies itself to the inserted card. The infected card contains both the Commwarrior executable and the bootstrap component, so that if the infected card is inserted into another phone it will also be infected.
Replication by infecting other SIS files
Commwarrior.Q searches the device C: drive and memory cards for SIS installation files, and will infect all SIS files that it finds. The infected SIS files will be wrapped by Commwarrior.Q so that if the user installs the infected SIS file, Commwarrior.Q will install first followed by the original application.
Infected SIS file will retain the orignal product name so that user will not notice that the SIS package is infected with Commwarrior.Q when installing it.Solution :
Kill Commwarrior Process
- Install a third-party file manager. For example FExplorer
- Start FExplorer
- Select and copy any file to clipboard
[UL- ]Navigate file system with navigation button. Press right to enter directory, left to leave directory.
- Select C: and press right, select system and press right
- Select any file from c:\system such as backup.xml
- Select Edit/Copy from menu
- Copy the file to E:\system\temp
- Press left until you are at filesystem selection screen
- Select E: and press right
- Select System and press right, and then temp and press right
- Select Edit/Paste from menu
- Rename the file to noboot
- Select File/Rename from menu
- Rename the copied file to noboot
- Reboot the phone
Last update 13 September 2006
