Worm.SymbOS.Comwar.a

Technical Details

This is the first worm for mobiles phones which is able to propagate via MMS.

It infects telephones running under OS Symbian Series 60.

The executable worm file is packed into a Symbian archive (*.SIS). The archive is approximately 27 - 30KB in size. The name of the file varies: when propagating via Bluetooth, the worm creates a random file name, which will be 8 characters long, e.g. bg82o_s1.sis

Installation

Once launched, the archive will be unpacked to \system\apps\CommWarrior\:

 \system\apps\CommWarrior\commwarrior.exe
 \system\apps\CommWarrior\commrec.mdl

The commwarrior.exe file will then copy both files, and the original archive to \system\updates\:

\system\updates\commwarrior.exe
\system\updates\commrec.mdl
  \system\updates\commw.sis

Propagation

The worm propagates via Bluetooth and MMS.

Once launched, the worm will search for accessible Bluetooth devices and send the infected .SIS archive under a random name to these devices. In order to open the attachment (which will consequently infect the telephone) the user will have to confirm several times that he wishes to receive the file.

The worm also sends itself via MMS to all contacts in the address book. The subject and text of the messages varies:

• Norton AntiVirus Released now for mobile, install it!
• 3DGame 3DGame from me. It is FREE !
• 3DNow! 3DNow!(tm) mobile emulator for *GAMES*.
• Audio driver Live3D driver with polyphonic virtual speakers!
• CheckDisk *FREE* CheckDisk for SymbianOS released!MobiComm
• Desktop manager Official Symbian desctop manager.
• Display driver Real True Color mobile display driver!
• Dr.Web New Dr.Web antivirus for Symbian OS. Try it!
• Free SEX! Free *SEX* software for you!
• Happy Birthday! Happy Birthday! It is present for you!
• Internet Accelerator Internet accelerator, SSL security update #7.
• Internet Cracker It is *EASY* to *CRACK* provider accounts!
• MS-DOS MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
• MatrixRemover Matrix has you. Remove matrix!
• Nokia ringtoner Nokia RingtoneManager for all models.
• PocketPCemu PocketPC *REAL* emulator for Symbvian OS! Nokia only.
• Porno images Porno images collection with nice viewer!
• PowerSave Inspector Save you battery and *MONEY*!
• Security update #12 Significant security update. See www.symbian.com
• Symbian security update See security news at www.symbian.com
• SymbianOS update OS service pack #1 from Symbian inc.
• Virtual SEX Virtual SEX mobile engine from Russian hackers!
• WWW Cracker Helps to *CRACK* WWW sites like hotmail.com

The worm contains the following text:

CommWarrior v1.0b (c) 2005 by e10d0r
CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.
OTMOP03KAM HET! 

The last line, in Russian, means roughly 'No to stupid people!'